Why you need information security policy?

By

Image : Bizsecure


Your web site is hacked! 

Your customer data is stolen!  

What would you do?

Isn't it a good idea to refer to your Information Security Policy first?

A policy define values and views of the organization. They are the fundamental  rules and regulations that governs the organization.

All employees must follow the policies to run the business smoothly. They enforce a centralized control over it's business activities and resources.

Some organization policies provide guidance to  employees, and others help protect the business from legal risks. 

Policies are general statements, which state how an organization should act. Procedures define exactly how a task to be  performed step by step. Guidelines are further advise to execute a procedure.

An information security policy is aims to protect information assets of an organization. They are set of instructions to employees to prevent data breaches.

A security policy is important to identify risks and mitigate risks to  information.

In most Information Security incident cases, employees are involved directly or indirectly. For instance phishing scams, malware infections, revenge attacks and industrial esponage are common causes. Therefore information security policies, procedures and   guidelines are essential to an organization.

An information security  policy defines how information assets and resources should be used, managed, and protected in an organisation. It applies to all employees, data, systems, and networks belongs to the organization. It addresses threats and defines strategies and procedures for mitigating information security risks.

The National Institute of Science and Technology (NIST) defines An information security policy as "an aggregate of directives, regulations, rules, and practices that prescribes how an organization manages, protects, and distributes information."

An information security policy provides the context, 

objectives, scope, and goals to ensure information security. 

The core components of an information security policy.  includes:

1.  Roles and responsibilities for Information security.

2. Controls for minimum information security.

3. Procedure for breaking information security policy rules.

An information security policy needs to reflect unique operational aspects and specific threats related to an industry, region, or organization.

For instance a healthcare organization collecting Personal Health Information(PHI) should meet HIPAA regulations while,  an organization handling personal data of European citizens must adhere to General Data Protection Regulations (GDPR). A research and development business  need to consider insider threats to protect it's  intellectual properties.

An information security policy is a living document. It require regular review and  update based changing threat landscape, organisation processes, and regulations because :

Information security a high business priority.

Security protocols need to be up to address threats and compliance requirements.

For accurate issue resolution, disaster recovery, and security management.

To reduce the risks to productivity, finance and reputation resulting from a security incident.

Your information security policy defines the strategies and procedures to reduce vulnerabilities.

It also monitors for incidents, and address security threats. 

It provides a clear direction on steps to be taken in the event of a security breach or disaster.

A good information security policy:

Standardizes organization business processes and rules to help protect against threats to  confidentiality, integrity, and availability of data. 

Implements recovery procedure to quickly respond to minimize damage to business in the event of an incident.

Enforce security programs across the organization providing a framework for operationalizing the  procedures.

Provides clear statement of organizations security policy to third parties

Provides a foundation to meet regulatory compliance requirements.

Information security policy provides a solid  for the ISO 27001 compliance process.

Niranjan Meegammana

Comments

Post a Comment

Popular posts from this blog

ISO 27001 ISMS in a Nutshell

By
Image
Image : ISO The ISO 27001 certification is the most comprehensive  information security standard recognized globally. It ensures standardizing of your organisation's information security strategies to ensure confidentiality, integrity and availability of your systems and data to conduct your business effectively.  Gaining the certification is a journey with several milestones. It is a carefully planned systematic activity that transforms an organisation to a secure entity,  where everyone becomes a stakeholder in information security. Follow this processes to get to your goal successfully. Step 1. Obtain Management Support . This is the most critical requirement to achieve ISO 27001 status. Your ISMS project will definitely fail if it does not receive to management support. The management should provide, people, money and strategic direction for your ISMS to be a success story. In the sections below you’ll find some tips on how to convince your management, and how much the implemen
Read more

Best Practices for secure Software Development

By
Image
image : OpenSense Labs Are you aware of the  Solarwinds attack in 2020? The hackers exploited software vulnerabilities of Orion IT monitoring and management software used by thousands of enterprises and government agencies. This hack triggered a larger scale supply chain incident which affected thousands of organizations, including the U.S. government. The attackers infliltrated the Solarwinds network, and infected the software used for Network monitoring before it shipped to customers.This insident and many more warn us on the importance of building secure software.  Secure software development is a methodology used for creating robust software by incorporating security practices into every stage of the software development life cycle (SDLC). It begins at planning stage before a single line of code is written, and continue through the life cycle. A bug fixing at implementation stage cost six times than fixing it during design stage. Every new feature added, may carry series of vulnera
Read more

How easily the data breaches occur? 5 ways to be aware of.

By
Image
Data breaches can occur at any unexpected moment. Unless you do not detect it fast, cybercriminals will have more time to exfiltrate information and cause bigger damage. On average it takes up to 30 days and costs $1 million to address a data breach incident stated 2021 Cost of a Data Breach Study. However, it could be more if you wait longer. Unfortunately, some took 6 months to respond.      Better safe than be sorry! Be prepared against data breaches.  There are 5 ways for your organization to avoid data breaches. Here is how. 1. Weak and stolen credentials  The most simplest way hackers use for data breaches is stealing passwords. Many people use predictable passwords like ‘Password1’ and ‘123456’. With them, cybercriminals don't even need to hack into a system to steal your sensitive data.  There are many tools that can help a cybercriminal to crack passwords. They run millions of popular credentials to break into your system. This requires you to have a strong password policy
Read more