Question

In: Computer Science

It is very important about how you craft your organization's security policies with your organization. Your...

It is very important about how you craft your organization's security policies with your organization.

Your policy should comprehensively address all the main security vulnerabilities and risks within your organization.

Remember your overall security policy, not all covers computers, internet, applications, servers, user access, etc.. but many other areas which we will delve into. Attached is a sample acceptable use policy from the SANS Institute.

What sections really stand out to you and why?

Solutions

Expert Solution

Answer: Security Policy is a document that contains all the methods and procedures to protect the organization from various types of threats such as financial threats,laws and regulations,virus attacks,malware,careless employees,threats to the data of an organization etc.Security policy can be considered as a well defined plans and practices to access the organization system and the information.Security policy is a document that contains all the threats and also contains the things we need to do when the threat occurs.

Security policy must contains the following features:

  • It should be effective.
  • It must be understood by all.
  • It must include some senior management decisions.
  • It must be in easy and understandable language.

Purpose of preparing a security policy:

  • It is used to overcome the threats to the business.
  • It is used for guiding the new and untrained employees.
  • It promotes awareness among the existing employees.
  • It is used to address various threats and their solutions.
  • It provides access to an organization system.
  • It also provides access to the information in the organization.

There are many threats in an organization such as natural threats,financial threats,unintentional threats,IT related threats,Intentional threats.The combination of all the threats and vulnerabilities is known as Risk.There are many risk factors to be considered while preparing a security policy for an organization.

Risk is a loss or damage which results from the threats to an organization.

The various threats and risks to the organization are:

  • Financial Risks: Every organization suffers from this risk at some stage.Financial risk can be of any kind such as bankruptcy,Overspend on a particular project,Huge loss to the business etc.
  • Safety and Environment Risks:There are many safety and environment risks that are generally faced by the organization.Such as Laws and regulations,Natural Disasters fr eg flood,earthquake etc.
  • IT Risks: IT risks are the information technology risks to an organization.It includes the factors like Risk to the sensitive data of an organization,improper use of data,Virus Attacks,Malware,System Failures are the Some IT risks.
  • Legal Risks: Organization has to face many legal risks also.
  • Human Resources Risks: Organization has to face many Human Resource Risks.These are related to employees.For eg if an employee is untrained,Fraud etc.
  • Market Risks: There are many market risks that occurs in an organization such as Suddenly Market Changes,Risks from stakeholders etc.
  • Operations Risks: There are many risks that are faced by an organization in their day to day operations.

The factors that needs to be stands out in a particular security policy are:

This security policy includes the security policy of a particular organization.It includes the objectives of security policies and it also provides detailed information that how to achieve it.This security policy is for all the risk factors of the organization.Its scope is to covers all the risk factors such as financial,environment,IT,Legal,Human Resource,Market and Operations Risks.It deals with all of this and defined the policies to handle it.

Security Objectives:

Security is must in any kind of an organization.The objectives of the security policy are:

  • The main objective of security policy is to help the organization so that it can function properly and able to earn huge profits and success.
  • The second objective of security policy is to maintain all the assets of an organization.
  • It is must for the organization's success.
  • Security can includes the legal works such as copyright information and personal information.The main objective of security policy is to prevent the copyright and personal information.

Responsibilities:

Responsibilities of each department and their respective head must be stands out in a security policy.

Each person or department is responsible for each kind of security.The responsibilities can be defined in such a way:

  • The chief security is responsible for managing all the departments in an organization.
  • The financial security officer is responsible for the financial security.
  • Human Resource security manager is responsible for the employees security.
  • IT security manager is responsible for the security of the organization's system from any kind of virus and malware attack.

Notifications of any kind of mishappening

  • All kind of mishappening must be reported to the concerned officer.
  • The mishappening related to the finance must be informed to the financial security officer.
  • The mishappening related to the employees must be informed to the Human Resource security officer.

The mishappening related to the loss of data,system downtime,virus and malware attacks must be informed to the IT security manager.

Risk Management

Risk Management is the process of identifying and analyzing the risk and performed various operations to minimize the risk.

How Risk Management is done

  • First of all identify all kinds of risks
  • Analyze the risk.
  • Support from the top management is required to handle the risk.
  • Talk with the boss or the head is required to understand that what risks are occurred in an organization.
  • Understand the risk and make a valid plan to manage the risk.

Above are all the sections that needs to stands out in a particular organization's security policy.


Related Solutions

You’ll create a security infrastructure design document for a fictional organization. Your plan will be evaluated according to how well you met the organization's requirements.
You’ll create a security infrastructure design document for a fictional organization. Your plan will be evaluated according to how well you met the organization's requirements. Points will be awarded based on how well you met these requirements, considering the security implications of your choices.The following elements should be incorporated into your plan:Authentication systemExternal website securityInternal website securityRemote access solutionFirewall and basic rules recommendationsWireless securityVLAN configuration recommendationsLaptop security configurationApplication policy recommendationsSecurity and privacy policy recommendationsIntrusion detection or prevention for systems containing...
Think about an organization that you know well. Share a fact about one of this organization's...
Think about an organization that you know well. Share a fact about one of this organization's resources (human, financial, technological, relationships, etc.). Would you characterize that fact as a strength or a weakness within this organization? Explain why you feel as you do, in light of the goals the organization is trying to achieve. What would it take to derive even greater value from that resource?
Do you know your organization's mission statement? How important is it in the planning process at...
Do you know your organization's mission statement? How important is it in the planning process at your organization? Describe the type of planning that takes place in your organization.
How often should IT security policies be reviewed within an organization? What is the impact if...
How often should IT security policies be reviewed within an organization? What is the impact if these policies are not reviewed on a regular basis?
Your boss came to you and asked about Group Policies. He doesn't understand how Group Policies...
Your boss came to you and asked about Group Policies. He doesn't understand how Group Policies work, or the reason to have them to begin with. Discuss what you would say to this computer novice that manages you. (Don't go the easy route and say "Leave me alone" or "None of your business", because we all know that wouldn't really fly in a business setting.) Discuss why you need Group Policies, how you would administrate them, and what could happen...
Explain how you would incorporate Heimdal’s Corporate Security Checklist in an organization's business strategy. (Create an...
Explain how you would incorporate Heimdal’s Corporate Security Checklist in an organization's business strategy. (Create an organization)
OK, we all know by now that security practices are important to the organization. You may...
OK, we all know by now that security practices are important to the organization. You may have security champions who are ready to tout the merits of having a security conscious organization. They know your organization, the business processes and the technology used within the company. They often will guard against weak attitudes when it comes to security, and will offer solutions to protect vital data. As our culture has ever increasing access to information, social engineering will still be...
Information security policies are the core internal guidance for an organization and must be enacted prior...
Information security policies are the core internal guidance for an organization and must be enacted prior to the purchase of information security controls. There is a bit of a "chicken and egg" dispute in the information security community as to whether it is appropriate to first engage in risk assessment with policies created to address those findings or whether it is appropriate to first create policies against which a risk assessment can be performed. On a more granular level, security...
How would you go about explaining the usefulness of CVP to your organization?
How would you go about explaining the usefulness of CVP to your organization?
Imagine that you are the Information Security Officer (ISO) of your organization. Develop a plan to...
Imagine that you are the Information Security Officer (ISO) of your organization. Develop a plan to conduct a Web application penetration test on your network. Identify and explain all steps necessary to successfully complete the test.
ADVERTISEMENT
ADVERTISEMENT
ADVERTISEMENT