Question

It is very important about how you craft your organization's security policies with your organization.

Your policy should comprehensively address all the main security vulnerabilities and risks within your organization.

Remember your overall security policy, not all covers computers, internet, applications, servers, user access, etc.. but many other areas which we will delve into. Attached is a sample acceptable use policy from the SANS Institute.

What sections really stand out to you and why?

Answer 1

Answer: Security Policy is a document that contains all the methods and procedures to protect the organization from various types of threats such as financial threats,laws and regulations,virus attacks,malware,careless employees,threats to the data of an organization etc.Security policy can be considered as a well defined plans and practices to access the organization system and the information.Security policy is a document that contains all the threats and also contains the things we need to do when the threat occurs.

Security policy must contains the following features:

• It should be effective.
• It must be understood by all.
• It must include some senior management decisions.
• It must be in easy and understandable language.

Purpose of preparing a security policy:

• It is used to overcome the threats to the business.
• It is used for guiding the new and untrained employees.
• It promotes awareness among the existing employees.
• It is used to address various threats and their solutions.
• It provides access to an organization system.
• It also provides access to the information in the organization.

There are many threats in an organization such as natural threats,financial threats,unintentional threats,IT related threats,Intentional threats.The combination of all the threats and vulnerabilities is known as Risk.There are many risk factors to be considered while preparing a security policy for an organization.

Risk is a loss or damage which results from the threats to an organization.

The various threats and risks to the organization are:

• Financial Risks: Every organization suffers from this risk at some stage.Financial risk can be of any kind such as bankruptcy,Overspend on a particular project,Huge loss to the business etc.
• Safety and Environment Risks:There are many safety and environment risks that are generally faced by the organization.Such as Laws and regulations,Natural Disasters fr eg flood,earthquake etc.
• IT Risks: IT risks are the information technology risks to an organization.It includes the factors like Risk to the sensitive data of an organization,improper use of data,Virus Attacks,Malware,System Failures are the Some IT risks.
• Legal Risks: Organization has to face many legal risks also.
• Human Resources Risks: Organization has to face many Human Resource Risks.These are related to employees.For eg if an employee is untrained,Fraud etc.
• Market Risks: There are many market risks that occurs in an organization such as Suddenly Market Changes,Risks from stakeholders etc.
• Operations Risks: There are many risks that are faced by an organization in their day to day operations.

The factors that needs to be stands out in a particular security policy are:

This security policy includes the security policy of a particular organization.It includes the objectives of security policies and it also provides detailed information that how to achieve it.This security policy is for all the risk factors of the organization.Its scope is to covers all the risk factors such as financial,environment,IT,Legal,Human Resource,Market and Operations Risks.It deals with all of this and defined the policies to handle it.

Security Objectives:

Security is must in any kind of an organization.The objectives of the security policy are:

• The main objective of security policy is to help the organization so that it can function properly and able to earn huge profits and success.
• The second objective of security policy is to maintain all the assets of an organization.
• It is must for the organization's success.
• Security can includes the legal works such as copyright information and personal information.The main objective of security policy is to prevent the copyright and personal information.

Responsibilities:

Responsibilities of each department and their respective head must be stands out in a security policy.

Each person or department is responsible for each kind of security.The responsibilities can be defined in such a way:

• The chief security is responsible for managing all the departments in an organization.
• The financial security officer is responsible for the financial security.
• Human Resource security manager is responsible for the employees security.
• IT security manager is responsible for the security of the organization's system from any kind of virus and malware attack.

Notifications of any kind of mishappening

• All kind of mishappening must be reported to the concerned officer.
• The mishappening related to the finance must be informed to the financial security officer.
• The mishappening related to the employees must be informed to the Human Resource security officer.

The mishappening related to the loss of data,system downtime,virus and malware attacks must be informed to the IT security manager.

Risk Management

Risk Management is the process of identifying and analyzing the risk and performed various operations to minimize the risk.

How Risk Management is done

• First of all identify all kinds of risks
• Analyze the risk.
• Support from the top management is required to handle the risk.
• Talk with the boss or the head is required to understand that what risks are occurred in an organization.
• Understand the risk and make a valid plan to manage the risk.

Above are all the sections that needs to stands out in a particular organization's security policy.