ipl-logo

Information Security Policy Paper

1565 Words7 Pages

In a minimum of 1,200 words using at least three scholarly sources, explain the role of security policies in an organization and the roles and responsibilities associated with creating and managing information security policies.
Security starts at the top of the chain of command; the executive staff creates the strategic plans for the entire organization. Security is the responsibility of everyone, but in business, it has to be championed from the top (Whitman & Mattord, 2013). The senior management team must address security regardless of the business sector as strategic policies are created (Ning & Tanriverdi, 2017). Christina Torode made a statement that sums up the uphill battle information technology professionals have to overcome. …show more content…

Management is the decision-maker for all information systems, there creation and use. The same holds true for information security. Information security is the responsibility of every employee, and especially the managers, the chief information officer (CIO) is ultimately charged with the protection of information in the organization. This individual is charged with the overall strategic planning of the enterprise and the tactical planning as they relate to the organization’s goals in technology, information, and security (Brown, DeHayes, Hoffer, Martin, & Perkins, 2012; US DoC NIST, 2006 [updated 3/7/2007]). The Chief Information Officer works with the executive staff to help develop the enterprise strategies as they pertain to technology. Then he/she will translate those strategies for the information technology (IT) and information security (InfoSec) professionals (Whitman & Mattord, 2013). The Chief Information Officer position will continue to evolve, through technology, policy and business directive. Some Chief Information Officers primarily focus on the information technology and information security (InfoSec) functions where others are more oriented to the business operations (Launchbaugh, …show more content…

When conducting the risk assessment, you should not focus only on the outside forces; you should look at anything that has the potential of disrupting the total or partial operation (Siponen, Mahmood, & Pahnila, 2009; US DoC NIST, 2006[updated 3/7/2007]). The facility I work for is a manufacturing environment; we have procedures for most operational issues that occur. When a pump or motor fails, the operator would activate the backup system. In other areas, like the powerhouse, when a boiler experiences an abnormal operational condition, we have policies and procedures that govern the emergency shutdown, the notification of management and in the case of boiler operations, the State and Federal entity notification if any atmosphere venting occurs. On the business side the financial group's finance, accounting, and purchasing have policies that are required by Federal law, Sarbanes-Oxley (SOX) Act of 2002. The Sarbanes-Oxley (SOX) Act of 2002 was established to protect the stockholder and public from accounting practices that fail to or overstate or understate the financial worth of the enterprise (SOX, 2010). Another area of policies that are typically overlooked is disaster recovery (DR) or business continuity (BC). These plans are created to mitigate issues that can arise from threats, accidents, and natural disasters.

Open Document