Information Security Policy Paper

907 Words4 Pages

Introduction
To properly secure an organization, the organization must define the expected security posture of the organization. This begins with well-defined security policies. Security must be a top-down approach, beginning with upper management, down to the individual, accountable employee. The policy must outline how the organization plans to mitigate risks, and the level of risk that is acceptable to the organization. The team that creates the policy must be representative of the entire organization, and potentially include team members that are external to the organization.
Policy Creation Team
It should be assumed that if an organization is considering the development of an information security policy, an information security team is …show more content…

The internal audit function would be responsible for assuring the policy is working as expected, as well as providing the outside view of the risks the policy intends to mitigate. The final group that should review and provide input to the policy are the business users. At the end of the day, the end users will be the one who will abide by the policy. A policy must secure an organization, but not be so restrictive that the business cannot function. The right topics must be addressed with the policy (SANS, …show more content…

The healthcare industry must have more rigor in how it handles patient information. The policy team must define data classification elements as well. The data an organization produces is not always prone to security risks; however, with the proper classification elements defined, an organization can determine the appropriate level of rigor that should be applied.
A key component of an information security policy is an incident response to the policy. Should a threat actor compromise an organization, the organization must have ways to respond to the incident effectively. The threat must be isolated, then mitigated, and the policy likely adjusted to deal with how the threat occurred (Baskervill, Straub, & Goodman, 2008). Other components of an information security policy must outline backups of systems, email usage, wireless, physical security, as well as how third parties should access the system.
Policy