Acct 521 - Information Systems

...

Although organizations have different security needs, they also have different requirements and objectives. The organization should identify security requirements, to include the level of security that the organization wants to achieve. Those security requirements should specify the requirements of the organization for addressing security risks, identified through risk assessment, in order to achieve it security needs and achieve its business objectives. The result of risk assessment is an input to identify security requirements; therefore, some include risk assessment as a practice in their securities policy lifestyle (Bayuk 1997). Although risk assessment is a prerequisite to identify the security requirements, assessing risk should be part of security risk management, not policy development.

Assessing currently implemented security policy and procedure helps the security development team in understanding the current status of existing policy and procedures. This is important as it allows the organization to identify gaps in current policy and to determine whether the existing policy will help the organization in addressing risk by meeting its security requirements, therefore it identifies areas that need to be addressed by the new policy. Also reviewing existing policies and procedures will help ensure that new policies conform to the existing policy standards already set in place. Last the assessment will help gather vital information such as existing policy and procedures documents, which will be used by the development team as a key reference in developing new policies and procedures.

Compiling the security policy document is the last stage in the development phase of information security policy. The security policy document should state the management commitment and direction, and also set the organization’s approach to manage information security. Compiling the security policy document consists of a numerous activities, to include selecting policy components, writing draft policy and presenting the draft by policy to relevant stakeholders for review, comment and proposal (Hare 2002).

Policy items may address access control, internet usage, the use mobile devices and portable storage devices and so on. For example, access controls’ items should discuss authorized access to the systems, ways to control access and consequences of unauthorized access (Wood 2005). The policy development team should appoint one of its members to write the policy. That member should report on characteristics that should be considered when writing security policy. These characteristics are concerned with length and writing style. A security policy document should be short because if it is too long, the users will not read it. It should be written in a clear, concise and easy to understand language.

Creation and Implementation

Once the first draft of the policy is created, it should be presented to the vital stakeholders to review and provide feedback about quality, usability and acceptance of the policy (Whitman 2008). Feedback on the policy should be sent to the author so they are able to update the policy. Then it will be published and also be ready to be implemented (Whitman 2008).

Effective dissemination of the policy to the individual affected by the policy requires substantial effort from organization in order to be done effectively (Whitman 2008). No matter how the organization chooses to distribute the information it should be available and easy to access. An organization should select the most appropriate delivery method to ensure that the policy reaches the people it is applied to. After selection of delivery methods the policy should be prepared in the appropriate format, whether it HTML, PDF, or a Word document (Hare 2002). Once the appropriate format is prepared the distribution of the policy can take place.

When distributing the policy, the organization has to be certain that all individuals who receive it the policy will read it. This can accomplished through good communication. Communicating the policy is essential practice before the enforcement of the policy (Knapp and Ferrante 2012). Successful communication of the policy leads to a better compliance from employees (Sommestad et al. 2014). Communicating the policy has three main focuses, to make users aware of the policy, to communicate reason for implementing the policy, making users aware of how it will affect them and what implications are if they do not comply (Knapp 2009).

Communicating the policy can be done is various ways, whether it is by training sessions that teach the employees the new policy, or by having monthly briefings. Monthly briefing would not only ensure that employees are learning the new policy but that they are also understanding of it. Not only should they understand the policy they should also have the necessary skill to adhere to the policy.

Enforcing policy is an ongoing activity to ensure that the policy is adhered to (Hare 2002). Enforcement of policy is a managerial activity that considers the unauthorized act itself, as well as the severity of the offence and user’s intent (Puhakainen and Siponen 2010). Without enforcement of policy the security policy itself is defeated and holds no value. Implementation can be argued that management should shift from enforcing policy through sanctions and incentives to more of creating a shared vision of the security policy. If you establish a security culture it will result in a more beneficial compliance with the new security policies.

Evaluation of Policy

To have an effective security policy it requires constant review and changes. You first have to determine if the existing policy is still effective, as well as identify the needs to update policy to incorporate any organizational changes that might have taken place. Those aspects serve as inputs for the development of new policy and making sure old policy are still effective.

Through this research it provided a model for information security policy through a management practice. It consisted of three stages of policy implantation; the development stage, the implementation and maintenance stage, and the evaluation stage. Each stage show how management is involved and what they are able to do to ensure information security policy. It will allow practitioners to benchmark their security management against the model and provide a better understanding of security information system process.

Reference

Bayuk, J. (1997). Security Through Process Management. Morristown, NJ: Price Waterhouse.

Hare,