The purpose of the information security policy is to establish an organization-wide approach to prescribe mechanisms that help identify and prevent the compromise of information security and the misuse of organization’s data, applications, networks, and computer systems to define mechanisms that protect the organization from its legal and ethical responsibilities with regard to its networks’ and computer systems’ connectivity to worldwide networks. Most of the organizations worldwide already have formulated their information security policies. Having a security policy document in itself is not enough, the document must be complete. This paper examines security policies of 20 different academic organizations with standard security policy framework and attempts to answer questions such as: are these security policy documents complete? Are they fully up to date? Does the precept match the practice? These are kind of questions that are addressed in this study.
Organizations have been spending tremendous amounts of money on deploying firewalls, Intrusion Detection Systems (IDS) software, and encryption equipment and human resources for information security (Doherty & Fulford, 2005). But if an organization just haphazardly puts together these security tools and devices without formulating an organizational information security, nothing good will come of it. A security policy for a system is like a foreign policy for a government because it defines the aims and goals. Any company should have interest in protecting its assets against undesired events. A security policy should address the information assets of the organization, the threats to those assets, and the measures that management has decided are reasonable and proper to protect those assets (Fulford & Doherty, 2003). Organizations are also supposed to comply with governmental legislations such as the Health Information Privacy and Protection Act (HIPPA), Sarbanes-Oxley Act, Gramm-Leach-Bliley Act (GLBA), Child Online Privacy and Protection Act (COPPA), and the Patriot Act (Tulu & Chatterjee, 2003; Ma & Pearson, 2005).
Key Terms in this Chapter
Threat: is an event or activity, deliberate or unintentional, with the potential for causing harm to an IT system or activity.
Policy: Policy is a set of rules. They’re the dos and the don’ts of information security, again, within the framework of the philosophy.
Prohibited: use is illegal use and all other use that is neither Acceptable nor Allowable.
Allowable: use is legal use for other purpose that does not impinge on Acceptable use. The amount of Allowable use will vary over time based on the capacity reserve of information technology resources available beyond Acceptable use.
Information System: A system consisting of hardware, software, network, and recording media, that is installed in an organization for business processing.
Information Security: The protection of confidentiality, integrity, and availability of information assets.
Vulnerability: is a flaw or weakness that may allow harm to occur to an IT system or activity.
Risk: is the possibility of harm or loss to any software, information, hardware, administrative, physical, communications, or personnel resource.
Practices: Practices simply define the how of the organization’s policy. They are a practical guide regarding what to do and how to do it.