The management of the organization is responsible for the application of the security policy. To that end, it must appoint a person responsible for its preparation, evaluation and updating. Regular reviews (every three to five years) or when major changes have taken place are necessary to ensure the relevance and effectiveness of the policy. Information security policies play an important role in the governance of information security. They are used to formally communicate senior management`s overall expectations and intentions for the protection of information in accordance with the business objectives and needs of the organization. Through a security policy, management demonstrates its support and commitment to information security. In general, the issuer is a senior official responsible for emissions and system-specific policies; The more global, controversial or resource-intensive the transmitter, the higher the priority. Physical security policies aim to protect a company`s physical assets, such as buildings and equipment, including computers and other IT equipment. Data security policies protect intellectual property from costly events such as data breaches and data leaks. At the program level, responsibilities should be assigned specifically to organizational elements and officials responsible for the implementation and continuity of the IT security policy.51 Security professionals need to consider a number of areas when developing a security policy. These include: Dictate the role of employees. Each employee generates information that can pose a security risk.

Security policies provide guidance on the behavior required to protect data and intellectual property. Identify third-party vulnerabilities. Some vulnerabilities arise from interactions with other organizations that may have different security standards. Security policies help identify these potential vulnerabilities. The incredible pace of technological innovation requires that all security policies be reviewed regularly. How often? It depends on the needs and technological know-how of your company. In general, however, any new technological change has the potential to require a corresponding change in policy – so it`s a good rule of thumb to review all organizational policies (security or otherwise) at least once a year. Responsibilities. Once the computer security program is in place, its administration is usually entrusted to a newly created office or an existing office.50 Like many people, Fred Jones thought he had a difficult job. As an information systems manager in a small school district, he was responsible for operating a district-wide computer network, from installation and maintenance to user support and training.

Although it was clearly not a one-man job, he was his own employee. Fred had tried to explain to his superintendent that the district network was vulnerable to a number of threats because its small budget and non-existent staff prevented it from effectively managing the security of the system, but his warnings had always been ignored. It really happens! Like many people, Fred Jones thought he had a tough job. As an information systems manager in a small school district, he was responsible for operating a district-wide computer network, from installation and maintenance to user support and training. Although it was clearly not a one-man job, he was his own employee. Fred had tried to explain to his superintendent that the district network was vulnerable to a number of threats because its small budget and non-existent staff prevented it from effectively managing the security of the system, but his warnings had always been ignored. One morning, to Fred`s surprise, at a staff meeting, the superintendent announced that he had read a newspaper article about a student breaking into the computer system of a nearby school district and changing the report records. The boss further explained that Fred will now be responsible for developing and implementing an IT security policy for the school district. Once the meeting was over, Fred contacted the Superintendent to meet with her to discuss a shared vision for the development of the security policy. “An effective security policy requires input and commitment from the entire organization, so I think we should sit down and come up with a plan to develop our security policy,” Fred said. But the superintendent declined the invitation to participate in the political development process. “Fred, I`m too busy to get involved in this project.

I am confident that you will do a job that will make us all proud. When Fred asked if he could increase his staff and budget to cope with the increased workload, the superintendent again dismissed the problem. “Fred, times are tough and the budget is tight. Perhaps we can find a solution next year. In the meantime, you have undertaken to secure our system as if your work depended on it. In fact, I think your work depends on it. Fred watched his unrealistic, though well-intentioned, boss walk away, realizing that his job was no longer difficult, but really impossible. It was now expected to develop, implement, manage and monitor an enterprise-wide security policy without the assistance, consent or support of a single employee, let alone high-level administrators. He knew that the organizational support he hadn`t received meant that there was little chance that he could effectively secure the system and that it was only a matter of time before a significant breach of system security occurred.

Fred found himself in the terrible position of being responsible for stopping the inevitable, but powerless to do so. Contact persons and further information. For each issue-specific policy, the appropriate people within the organization should be identified who can contact for more information, guidance, and compliance. Since positions tend to change less frequently than the people who occupy them, some positions may be preferable as a point of contact. For example, the contact person for some issues may be a direct supervisor; Other issues may involve a facility manager, technical support person, system administrator, or security program representative. Based on the example above, employees would need to know again whether the contact person for questions and information about the procedure is their immediate manager, a system administrator, or an IT security officer. Data is one of the most important resources in an IT organization. It is always generated and transmitted over a company`s network, and it can be made available in countless ways. A security policy guides an organization`s strategy to protect data and other assets. Fred saw his unrealistic, though well-intentioned, boss walk away, realizing that his job was no longer difficult, but really impossible.