Information Security – A forgotten realm


An all too often forgotten or underestimated facet of IT is an organisations Information Security Policy and with the increasing popularity of the use of Cloud resources, both public and hybrid, this becomes especially important.

An Information Security Policy is the cornerstone of an Information Security Program and should reflect an organisation’s objectives for security and the agreed upon business strategy for securing the organisations information. A security policy identifies the rules and procedures that all persons within an organisation accessing computer resources must comply with in order to ensure the confidentiality, integrity, sovereignty and availability of data and resources. Additionally, it documents an organisation’s security posture, describes and assigns functions and responsibilities, grants authority to security professionals, and identifies the incident response processes and procedures.

When developing an IT Security Policy you should keep in mind the ‘defence in-depth’ model. This means an organisation should not rely on one principal means or layer of protection. Instead, a security program should be developed that provides multiple layers of defence. This ensures maximum protection of an organisations data and resources, minimising the potential for compromise.

In order to be useful, an IT Security Policy must be formally agreed upon by executive management. This means that, in order to compose an information security policy document, an organiszation has to have well-defined objectives for security and an agreed-upon management strategy for securing information. If there is any debate over the content of the policy, then this disagreement may continue throughout subsequent attempts to enforce it, with the consequence that the Information Security Program itself will be dysfunctional.

So what determines a good Information Security Policy?

In general a good IT Security Policy does the following:

  • Communicates clear and concise information and is realistic;
  • Includes defined scope and applicability;
  • Makes enforceability possible;
  • Identifies the areas of responsibility for users, administrators, and management;
  • Provides sufficient guidance for development of specific procedures;
  • Balances protection with productivity;
  • Secures assets against theft, fraud, malicious or accidental damage, breach of privacy or confidentiality;
  • Protects an organisation from damage or liability arising from the misuse of its IT resources;
  • Identifies how incidents will be handled; and
  • Is endorsed at the senior management level.
  • So what are the components of an IT Security Policy?
    A security policy should be flexible and adaptable to technology changes, should be a living document routinely updated as new technology and procedures are required to support the organisation. Of course these components will vary by organizsation based on size, services offered, technology, and available revenue.
    Some of the typical elements included in a security policy are:

  • Security Definition
  • Enforcement
  • Acceptable Usage
    • o Email
    • o Internet
    • o Mobile / Portable and Hand Held Devices
  • Logical Security
    • o Identity and Access Management
    • o IPS/IDS
    • o End Point Security and Antivirus
  • Data Security
    • o Remote access
    • o Backup and Recovery
    • o Auditing
  • Physical Security
  • Security Incident Management
  • Business Continuity
  • Security policies are crucial to ensuring the protection of organisational IT assets and information. Should your organisation need assistance with developing an Information Security Policy for your existing environment or an planned Cloud migration project, Diaxion can help you on this journey.