Every company that has
IT in place must focus on developing an IT security program to
mitigate the risks associated with operating in a shared, enterprise
The data in an organization varies widely in type and
in degree of sensitivity. The
employees need to be able to exercise flexibility in handling and
protecting it. It s often not practical or cost-effective to ensure
that all data handled is in the same manner or be subject to the
same protection requirements. However some degree of standardization
is required as some ones’ output is some one else’s input. Else
insistencies can develop and introduce risks.
The IT security program
framework may be divided into two types. One is Program-level and
the second one as Issue-specific.
The main function of
Program-level policy is to frame the organization wide IT security
goals and objectives, establish the security program, assign
responsibilities and provide a basis for enforcement.
As this is too broad and
far-reaching in applicability, the program-level IT security policy
may be divided purpose, scope, goals, responsibilities, and
primary purpose of program-level policy is to establish the IT
security program and the organization wide goals of the security
program. Define the purpose of this exercise and its need in your
organization clearly and communicate to the employees.
Program-level policy must include all of the organization's IT
resources, including facilities, hardware, software, information,
and personnel. You may need to include an overview of all of the
types of IT resources like Servers, workstations, Local Area
Networks (LANs), standalone computers, etc.
The three security-related issues are integrity, availability, and
is all about managing information in its totality. The information
must be kept intact, and is never lost, damaged, stolen or modified.
Availability is ensuring that information is accessible to
authorized users when and where needed and to the extent possible,
Confidentiality is ensuring that information is accessible only by
It is not sufficient to establish the IT security program and assign
program management responsibilities. Many other responsibilities
throughout the organization should be discussed in the policy,
including the role of line managers, owners of applications, users
of data -who use the data directly or indirectly.
among various individuals and groups must be defined in the
program-level policy to diminish ambiguity and confusion related to
areas of responsibility or authority. Define and facilitate
hierarchy for escalation and responsibility.
policy is documented, all the stake holders must be taken into
confidence and explained about the IT security framework. Once they
realize the need for discipline, it is easy to implement a policy.
There is bound to be resistance and you need to handle that
carefully with out confrontation mode. Once the tough user is
convinced, you can have your way in implementing smoothly. Training
plays a major role and training the relevant users or system people
is equally important.
Issue -specific policies are very tricky and need to be developed,
in order to identify and define specific areas of concern to the
organization's position and expectations in relation to them.
The types of
subjects covered by issue-specific policies are areas of current
relevance, concern, and, sometimes, controversy upon which the
organization needs to assert a position.
policies, however, are likely to require revision and updating from
time to time, as changes in technology and related activities take
Your IT security program may have covered email usages and
restrictions behind a firewall etc. But do you have a policy against
Spam & Virus? What about wireless device usage with in your
Let us divide the components of the Issue-specific policies-
statement of an issue and the organization's position,
applicability, roles and responsibilities, and points of contact.
of an Issue and the Organization’s position
All the possible issues must be defined and documented with any
relevant terms, distinctions, and conditions delineated. The policy
makers must be able to foresee some issues that do not exist, but
may crop up later. Once the issue is documented, the organization's
position on the issue will need to be clearly stated. There must be
step by step analysis of the issue and the organization
responsibilities and the people/departments involved.
Issue-specific policies must clearly include statements of
applicability, meaning where, why, how, when, to whom, by whom and
to what a
particular policy applies shall be clearly documented.
For each activity documented in the security policy, roles and
responsibilities of the people and the departments with in the
organization shall be assigned.
Appropriate individuals in the organization must be identified as
points of contact for smooth process of issue-specific situation.
Policy implementation is a process and a difficult one at that.
Policy cannot merely be announced by the management and expect every
one to follow. One must prepare people for the same. Expose the
employees before actually implementing it. Conduct some training
sessions or seminars and take all involved into confidence. Collect
their feedback and see if the policy needs to be modified. Also
realize that you need a ‘champion’ in the management side for
successful implementation of the IT security policy.
Once IT security policy has been approved, issued and implemented,
you still need to document the policy.
The IT security policy itself may be self sufficient. But
more often it is required to integrate IT security policy with other
Some times IT security policy may generate the need to create new
policy elsewhere in the organization as new rules, regulations,
processes may have to be added or modified.
IT security policy is a must for all organizations exploiting IT. A
firm security policy must be in place. Take all the employees into
confidence and educate them. People acceptance and enforcement is
key to the success of your IT security policy.