IT Security










The Information Technology  Network 

IT Trends - Jobs - Training - Contracts - Books


IT Security Program Framework  

   Every company that has IT in place must focus on developing an IT security program to mitigate the risks associated with operating in a shared, enterprise environment. 

   The data in an organization varies widely in type and in degree of sensitivity.  The employees need to be able to exercise flexibility in handling and protecting it. It s often not practical or cost-effective to ensure that all data handled is in the same manner or be subject to the same protection requirements. However some degree of standardization is required as some ones’ output is some one else’s input. Else insistencies can develop and introduce risks.

  The IT security program framework may be divided into two types. One is Program-level and the second one as Issue-specific.


Program-level Policy

  The main function of Program-level policy is to frame the organization wide IT security goals and objectives, establish the security program, assign responsibilities and provide a basis for enforcement.

  As this is too broad and far-reaching in applicability, the program-level IT security policy may be divided purpose, scope, goals, responsibilities, and enforcement.


A. Purpose

 A primary purpose of program-level policy is to establish the IT security program and the organization wide goals of the security program. Define the purpose of this exercise and its need in your organization clearly and communicate to the employees.

 B. Scope

   Program-level policy must include all of the organization's IT resources, including facilities, hardware, software, information, and personnel. You may need to include an overview of all of the types of IT resources like Servers, workstations, Local Area Networks (LANs), standalone computers, etc.


 C. Goals

  The three security-related issues are integrity, availability, and confidentiality.

Integrity is all about managing information in its totality. The information must be kept intact, and is never lost, damaged, stolen or modified. Availability is ensuring that information is accessible to authorized users when and where needed and to the extent possible, Confidentiality is ensuring that information is accessible only by the authorized


D. Responsibilities

   It is not sufficient to establish the IT security program and assign program management responsibilities. Many other responsibilities throughout the organization should be discussed in the policy, including the role of line managers, owners of applications, users of data -who use the data directly or indirectly.

   The relationships among various individuals and groups must be defined in the program-level policy to diminish ambiguity and confusion related to areas of responsibility or authority. Define and facilitate hierarchy for escalation and responsibility.


E. Enforcement

    Once the policy is documented, all the stake holders must be taken into confidence and explained about the IT security framework. Once they realize the need for discipline, it is easy to implement a policy. There is bound to be resistance and you need to handle that carefully with out confrontation mode. Once the tough user is convinced, you can have your way in implementing smoothly. Training plays a major role and training the relevant users or system people is equally important.


Issue-specific Policy

   Issue -specific policies are very tricky and need to be developed, in order to identify and define specific areas of concern to the organization's position and expectations in relation to them.

   The types of subjects covered by issue-specific policies are areas of current relevance, concern, and, sometimes, controversy upon which the organization needs to assert a position.

   Issue-specific policies, however, are likely to require revision and updating from time to time, as changes in technology and related activities take place.

   Your IT security program may have covered email usages and restrictions behind a firewall etc. But do you have a policy against Spam & Virus? What about wireless device usage with in your premises? 

   Let us divide the components of the Issue-specific policies- statement of an issue and the organization's position, applicability, roles and responsibilities, and points of contact.


Statement of an Issue and the Organization’s position

  All the possible issues must be defined and documented with any relevant terms, distinctions, and conditions delineated. The policy makers must be able to foresee some issues that do not exist, but may crop up later. Once the issue is documented, the organization's position on the issue will need to be clearly stated. There must be step by step analysis of the issue and the organization responsibilities and the people/departments involved.



    Issue-specific policies must clearly include statements of applicability, meaning where, why, how, when, to whom, by whom and to what a

   particular policy applies shall be clearly documented.

Roles and Responsibilities

    For each activity documented in the security policy, roles and responsibilities of the people and the departments with in the organization shall be assigned.

Points of Contact

   Appropriate individuals in the organization must be identified as points of contact for smooth process of issue-specific situation.

Policy Implementation

    Policy implementation is a process and a difficult one at that. Policy cannot merely be announced by the management and expect every one to follow. One must prepare people for the same. Expose the employees before actually implementing it. Conduct some training sessions or seminars and take all involved into confidence. Collect their feedback and see if the policy needs to be modified. Also realize that you need a ‘champion’ in the management side for successful implementation of the IT security policy.

Policy Documentation

    Once IT security policy has been approved, issued and implemented, you still need to document the policy.  The IT security policy itself may be self sufficient. But more often it is required to integrate IT security policy with other existing policies.

    Some times IT security policy may generate the need to create new policy elsewhere in the organization as new rules, regulations, processes may have to be added or modified.


    IT security policy is a must for all organizations exploiting IT. A firm security policy must be in place. Take all the employees into confidence and educate them. People acceptance and enforcement is key to the success of your IT security policy.