Security Policies Besides the technical controls listed above, organizations also need to implement security policies as a form of administrative control. In fact, these policies should really be a starting point in developing an overall security plan. A good information security policy lays out the guidelines for employee use of the information resources of the company and provides the company recourse in the event that an employee violates a policy. According to the SANS Institute, a good policy is “a formal, brief, and high-level statement or plan that embraces an organization’s general beliefs, goals, objectives, and acceptable procedures for a specified subject area.” Policies require compliance. Failure to comply with a policy will result in disciplinary action. A policy does not list the specific technical details, instead it focuses on the desired results. A security policy should be based on the guiding principles of confidentiality, integrity, and availability. 4 Web use is a familiar example of a security policy. A web use policy lays out the responsibilities of company employees as they use company resources to access the Internet. A good example of a web use policy is included in Harvard University’s “Computer Rules and Responsibilities” policy, which can be found here. A security policy should also address any governmental or industry regulations that apply to the organization. For example, if the organization is a university, it must be aware of the Family Educational Rights and Privacy Act (FERPA), which restricts access to student information. Health care organizations are obligated to
Information Systems for Business and Beyond (2019) pg. 131
Made with FlippingBook flipbook maker