In today's digital e-commerce and m-commerce world, the information itself acts as an asset and exists in the form of hardware, software, procedure, or a person. So the security of these information systems and management is a big challenging issue for small and large-scale agencies. So this chapter discusses the major role and responsibility of the organization's management in identifying the need for information security policy in today's world of changing security principles and controls. It focuses on various policy types suitable for all kinds of security models and procedures with the background details such as security policy making, functionality, and its impact on an agency culture. Information security policies are helpful to identify and assess risk levels with the available set of technological security tools. The chapter describes the management strategies to write a good policy and selection of the right policy public announcement. The agencies must also ensure that the designed policies are properly implemented and ensure compliance through frequent intermediate revisions.
TopIntroduction
For the past few years, it has been proven how digital communication information systems are vulnerable to various attacks. The information systems or information itself is a critical asset to business profitability or loss. In many cases, the more sophisticated attacks silently penetrate through critical information systems and explore to exploit valuable assets of the organization that consists of either secret or sensitive information.
An information system can be considered as a group of interrelated components which are able to retrieve, process, store and distribute relevant sensitive information securely in support of decision making or controlling the entire organization. It consists of not only the data in it but also refers to users and methods whether automated or manual methods organized to collect, process, transmit and disseminate data that is responsible for. From the 1960s and mid-1970s majority of information systems were manual systems later on these are mainly computerized and software-intensive systems known as mainframe-based, client-server based and web-based information systems.
Formally, the Information System (IS) is known as a product or component, a protocol for cryptographic system (or) a small card for wireless network access, a disk controller on personal computer (or) an operating system and a communication system on a network (or) an organization’s staff (or) the internet with maximum number of computers (or) an application system such as payroll system, financial system and so on. In simple terms, an information system is composed of either data, hardware units, software, procedures and/or people with major data management functionalities like data input, data storage, data processing, data control, and output results.
The information is considered as a critical and sensitive corporate asset. So the security of this kind of assets is also crucial. The security of information systems(assets) is one of the success factors for business matters. It is important that the information systems remain secure and that the data contained in them do not fall into the hands of those who are not allowed to have access to it. Any misuse of sensitive or critical information systems by internal employees or an external entity, however, lead to very serious challenges to organizational agencies such as loss in terms of productivity, revenue or any legal liabilities and other workplace issues. so in today’s digital world, the agencies or organizations need to have effective corrective measures to enforce their suitable and apt usage of policies to minimize their loss tendency as well as the increase of productivity by knowledgeable workers.
The main objective or purpose of information security and its management is to sustain the protection of the integrity, availability and the confidentiality of transmitted data and the availability of classified or identified information systems (Cleveland, 2004). Any organization or agency‘s effort towards securing their information systems must be successful if and only if it works in conjunction with the firm or organization’s own information security policy structure management. There are certain security principles based on which every policy underlies.