Information security policy
|Information security policy|
Information security policy - a set of authenticated procedures and security rules together with a program for their implementation and enforcement.
Information has always been and always will be one of the most important values for every person, society, economy, state or institution. Information is a resource that is the most sought after today. Since the emergence of the Internet and mobile telephony, the distance when exchanging information ceased to have any meaning. It has also simplified our search for information, we have much better access to it than we used to.
The information reflects the realities prevailing in social life.
Information is a collection in which objects of every nature are described. It is contained in a specific message. The person to whom such a message has reached is able to respond to the situation and take appropriate action accordingly. The value of information will depend on what impact it will have on the change of reality. To describe information, we will use terms such as knowledge, data and wisdom. Data as a set of values and names that have been properly ordered describe the object. Knowledge is information that is used in accordance with the conditions in the activities undertaken. On the other hand, wisdom is knowledge, according to which the subject has the opportunity to achieve his goals in accordance with the value system he set for himself.
Security understood as the moment when there is no danger. Regarding information security, this is related to the uninterrupted functioning of the institution's processes. It is a state in which information belonging to the institution is not threatened. The information security aspects include:
Accessibility is understood here as providing information to a person authorized to do so, confidentiality as not sharing an inappropriate person. Integrity is defined as ensuring completeness and accuracy, authenticity will mean the accuracy of information and reliability means performing certain tasks at the right time.
Information security policy
An information security policy is an assortment of documents that describe the principles and methods for ensuring security and information protection. These documents must comply with applicable law. The security policy is the basis for creating documents that determine the conditions that must be met by both paper and IT systems and outline the requirements for specific groups of information. The legal aspect of information systems and information protection is taken into account. It must contain:
- list of rooms or parts thereof, buildings in which personal data is processed,
- the way data flows between systems,
- list of programs that are used to process data and compilation of data sets,
- specification of organizational and technical measures that are necessary to ensure the integrity, accountability and confidentiality of the data being processed,
- description of the construction of data sets, which indicate links between information fields and indicating the content of specific fields.
The essence of information security policy
Information determines the success of the organization, is one of its most important resources. All employees of the institution should therefore properly protect it. Correct protection of information is very important, and thus a proper level of information security should be met. To achieve this, the organization's resources should be properly prepared and then duly managed. Therefore, it is necessary to properly arrange and then enforce the information security policy. Each organization is in possession of information that must be protected, either for legal reasons, i.e. classified information, personal data or for the interest of the organization, i.e. investment information, financial information, patents, etc. The security and information protection objectives are:
- ensuring the confidentiality of information,
- guaranteeing the safe and correct functioning of systems that process information,
- complete reduction of the possibility of danger emerging in relation to information,
- guarantee of an appropriate level of information security that is processed.
Development of an information security policy
First of all, the term information security should be defined. As I mentioned earlier, the information security policy is an assortment of documents that describe the principles and methods for ensuring security and information protection. The policy should include all rules for processing, producing, transmitting and storing information in terms of guaranteeing its security. It is very important that the information security policy complies with the law, that is, it should be developed on the basis of currently applicable regulations and laws regarding, inter alia, protection of copyright and personal data or protection of classified information. In order to develop an appropriate information security policy, you should take into account many factors related to your organization, such as:
- the specificity of functioning
- processes that take place in this institution
- organization structure
The information security policy should cover all employees of a given institution. It should be constantly updated.
- Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2010). Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. MIS quarterly, 34(3), 523-548.
- Hu, Q., Xu, Z., Dinev, T., & Ling, H. (2011). Does deterrence work in reducing information security policy abuse by employees?. Commun. ACM, 54(6), 54-60.
- Siponen, M., & Vance, A. (2010). Neutralization: new insights into the problem of employee information systems security policy violations. MIS quarterly, 487-502.