In: Operations Management
Question 21 40 pts
(TCO 1) How should an information security policy be introduced within an organization, and who should be involved in the review and approval process?
The information security policy should be established as a Corporate Code which should lay down the foundation for securing and protecting the sensitive and vulnerable information of organization relating to the human resources, trade secrets and corporate dealings. The Information security policy should be introduced in the business organization as an secured Information system which aims to incorporate an online network or software database where all the essential and confidential information will be saved with the access to only specified and recognised people inside the organization. The security policy should call for strict guidelines and regulations on how the information shall be used by the personnel and to what extend it will be shared with external sources. There should be zero tolerance policy against violations of any kind which should be made subject to termination, penalties or even legal action. A confidentiality agreement can also be put at place if required to establish accountability.
A proper code should be introduced for using information inside the organization. The Information System should contain directories dedicated to each resource, operations or field of area of the organization which will help to easily identify and disseminate the information whenever required.
The security policy should establish a framework to prevent and address to the issues of external and internal threats of violation of security and risk of exposing of confidential information. The external threats such as Cyber attack and hacking should be eliminated by securing the network and the internal threats such as misuse of information should be prevented by limiting the access to maintain the integrity of organization.
The top management and all those decision makers should be involved in the review and approval of the process who have a direct concern with the information and frequent requirement of accessing the data for various operational activities and are the key people in managing the activities of organization. They will need to suggest and recommend changes in the system so that protection is maintained along with the ease of using it in times of urgency. . Moreover limited access should be given to certain important employees only who might need the stored information for various purposes with the accountability of not leaking or exposing it.
.
Thanks dear student.. Hope this will help you... Please rate if satisfied :)