9.7 Security Policy Flashcards
What is the Purpose of a Security Policy?
Establish general approach to information security
Detect and forestall compromise of information security (misuse of data, networks, computer systems, application)
Protect reputation of company with respect to its ethical and legal responsibilities
Observe rights of customers (providing effective mechanisms for responding to complaints and queries concerning real or perceived non-compliances with policy is one way to achieve this objective)
Make sure information security policy is considered to be as important as other policies enacted with corporation
Describe the Staff element of the Security Policy
Staff must be aware of this policy
Workable, not too stringent and not too lapse
Staff must understand importance of data and security and the part they play in its protection
Staff must understand the consequences
Training, communication
Company culture and attitude of senior management must support importance
Manage, measure, control and REVIEW policy on regular basis
Describe the Awareness element of the Security Policy
Users may sign off on a security policy and then ignore it - if policy is too strict and interfaced with getting job done, users will work around it
Users need to know why policy is in force and consequences if not followed
Reading and acknowledging a document doesn’t necessarily mean they’re familiar with and understand new policies
Training session may engage employees and ensure they understand procedures and mechanisms in place to protect data
Training should touch broad scope of vital topics:
- How to collect / use / delete data
- Maintain data quality
- Records management
- Confidentiality and privacy
- Appropriate utilisation IT systems and networking
Small test at end is perhaps good idea
