Why Do Companies Need IT Security Policy?

Thinking about who is responsible for securing an organization’s information?  Perhaps the Research department?  Not exactly.  The Management Information System officer (MIS) staff?  Wrong once more.  Ultimately, it is not only individual employees or departments that are responsible for the security of confidential information, but also the institution itself. It is, therefore, incumbent upon top administrators, who have been charged with protecting the institution’s best interests, to ensure that an appropriate and effective security policy is developed and put into practice throughout the organization.

Apparently, policies themselves don’t solve problems, and in fact can actually complicate things unless they are clearly written and observed, policy does define the ideal toward which every organizational efforts should be directed.  By definition, security policy refers to clear, comprehensive, and a well defined plans, rules, and practices (regulations) that regulate access to an organization’s system and the information included in it.  Above all good policy protects not only information and systems, but also individual employees and the organization as a whole.  It also serves as a prominent statement to the outside world about the organization’s commitment to security systems.


Commonly Asked Questions

Question A. Shouldn’t we hire expert technology consultants to do the job?
There certainly are roles to play for expert consultants when instituting security policy: they could be hired as general technical support or they might be useful in offering advice about countermeasures (e.g., a password system, authentication system).  But generally speaking, the chief Security administrator and his or her employees need to shoulder the responsibility of protecting their system because, after all, it is their system.  They are the people who know it best and they will are the ones who have to implement adopted security policy. Outside contractors, while certainly capable of lending expertise to the process, cannot take the place of committed and informed staff.

Question B. What does ST Digital have to offer that experienced policy makers don’t already know?

Experienced policy-makers certainly bring a great deal of skill to security policy development.  But in many ways, security policy is different from other forms of more traditional policy for it requires policy makers to think like a data entry operator, MIS staff, research specialists, in some areas like a legal counsel, Administrators and so on.  Many of such procedural guidelines included will already be appreciated by well seasoned policy makers, but this document tailors the information so that it can be more readily applied to the specific concerns of information and system security expertise not always held by some administrators and policy makers which ST Digital can offer.


How to Develop Policy


With a tenable security policy, it must be based on the results of a risk assessment as described in its context findings from a risk assessment (Security Audit) provide policy makers with an accurate picture of the security needs specific to their organization.  This information is imperative because proper policy development requires decision makers to:

  • Identify sensitive information and critical systems!
  • Incorporate state laws, as well as relevant ethical standards.
  • Define institutional security goals and objectives.
  • Set a course for accomplishing those goals and objectives.
  • Ensure that necessary mechanisms for accomplishing the goals and objectives are in place.
  In this way, regulatory concerns, organizational characteristics, contractual stipulations, and user input can all be incorporated into policy development.  Effective security policy synthesizes these and other considerations into a clear set of goals and objectives that direct staff as they perform their required duties.



The Logic behind well planned Security Policy

What should be Included…

The following general questions should be addressed clearly and concisely in any security policy:

  • What is the reason for the policy?
  • Who developed the policy?
  • Who approved the policy?
  • Whose authority sustains the policy.
  • Which laws or regulations, if any, are the policy based on?
  • Who will enforce the policy?
  • How will the policy be enforced?
  • Whom does the policy affect?
  • What information assets must be protected?
  • What are users actually required to do?
  • How should security breaches and violations be reported?
  • What is the effective date and expiration date of the policy?