Security Policy: Documentation and Implementation
Most babies cry when they receive their first set of vaccines. Mothers know that they must go through this to ensure a healthy future. Like a vaccine the development and execution of a good security policy will help prevent danger and intrusion later. Being one step ahead of the virus is half the battle; it’s the development and implementation that will essentially win the war.
The average American is surrounded by security policies in just about every aspect of their lives, but never takes the time to acknowledge that fact. Your bank probably has fraud protection for you, the same as when you travel you must go through an entity of a security policy (e.g. metal detectors, baggage scans etc). Prime example of when a security policy must change because of its inefficiency was 9/11. Until that day most airlines had policies that kept passengers safe on their flight, policies to ensure or secure your luggage arrival and policies with procedures to follow if ever in an emergency situation. On 9/11 it was made clear that airline security policies were outdated and we as Americans were left vulnerable to a deadly “virus” that up until that day we had neither vaccine nor quick cure. This unfortunate example is exactly why the vitality of a security policy must stay one step ahead so that America may have a safe and healthy future. And like a vaccine a good security policy should prevent future attacks and infections of the virus that is in this example terror.
“By definition, security policy refers to clear, comprehensive, and well defines plans, rules and practices that regulate access to an organizations system and the information included in it. Good policy protects not only information and systems, but also individual employees and the organization as a whole. It also serves as a prominent statement to the outside world about the organizations commitment to security.” When developing a security policy ever organizations will be different. For example, if a bank and gas station are both being robbed, the procedures or policy that they would follow would be different. The bank teller may find the red button under the counter to push to alert the police there is a robbery in progress, while the gas station clerk will do whatever the robber says to avoid confrontation, try to get a good look at this face and then call and report the robbery long after the robber has ran away with all the money in the register. These security policies are so different because of one main factor the robber will not be the same. The bank robber is more likely to have a very well planned out point of attack while the gas station robbery would probably be sudden and done on rash emotions and shortly planned point of attack. The bank robber is going after a much larger amount of money while on even the best day at a gas station robbery you may only get away with $1,000. The security policy is different and aimed to fend off its most likely “virus”. You wouldn’t take Nyquil to treat a kidney infection, the same way a gas station is not going to have a policy or plan that would ward of an attack of robbers far more intelligent and well organized than the clerk working there who could be someone who may still be in high school. The higher and more intelligent the threat or virus the more extent and trained are the employees that follow the policy which goes along with it.
No matter what organization it is, every organization or company can build a successful security policy with 12 general questions and 12 clear and concise answers. So figuratively let’s build a security policy for an organization that gains all of its profits by buying and selling collectables on EBAY.
1. Who developed the policy?
2. Who approved the policy?
3. Whose authority sustains the policy?
4. Which laws or regulations if any, are the policy based?
5. Who will...
References: System Sciences, 2007. HICSS 2007. 40th Annual Hawaii International Conference on
• *Siponen, M.T, “Analysis of modern IS security development approaches: towards the next generation of social and adaptable ISS methods”, Information and organization, 15, 4, 2005, 339-375.
• *Villarroel, R, Fernandez-Medina, E. and Piattini, M., “Secure information systems development ' ' a survey and comparison”, Computers and Security, 24, 4, 2005, 308-321.
• *Stanton, J. M., Stam, K. R., Mastrangelo, P. and Jolton, J., “An analysis of end user security behaviors”, Computers & Security, 24, 2005, 124-133.
• *Fishbein, M. and Ajzen, I., Belief, Attitude, Intention and Behavior: An Introduction to Theory and Research. MA, Addison-Wesley. 1975.
• *Aydin, C. E. and Rice, R. E., “Social worlds, individual differences, and implementation. Predicting attitudes toward a medical information system”, Information & Management 20, 1991, 119-136.
Please join StudyMode to read the full document