I found many organizations without any IT Security – policy or with policy that none of any use or no one is following it. With the help of some industrial survey, employees not even read the policy book. May be due to lack of time or huge bunch of IT Security policy papers. Sometimes IT security manager not able to sort out right IT security policy papers for right employee. Even they not able to sign them properly. Of-course it depends on company/organization industrial level/band, country and trust. So, here is the question for you – Is your IT security policy guiding your employee to avoid confidential data leakage ?
Recently heard one scenario in IT industrial, One of the company IT administrator performed task which is beyond ability and got appreciation from IT manager personally. (administrator saved tons of company money, with the help of contacts/knowledge and experience in IT). As a result, in a few week administrator got appreciation letter from IT manager. Appreciation letter is nothing but in terms of resigning letter… huh.. Why ??
Administrator did best task for the company, even company CEO appreciate every time to his IT manager for wonderful job. But administrator got resigning letter from his IT manager… Bullshit right !! Where is your company policy ? Where is your task credit points ? Is your company IT policy for just employees or managers or CEO or each person of company ?
Sometimes questions are useful to contemplate on important topic. As i am discussing with the topic as ‘even you can also develop company policy’. Learn from company activity and develop new policy for the company and train others to learn new policies.
Developing all kind of document/policy is sometimes so hectic due to environment, time, task schedule. Even they forgot many things in while developing policy.
Here is the questions to ask your self at the time of developing it:
IT Policy Prominent ?
IT Policy Treatment ?
IT Policy Custodial Practices ? etc.
IT Policy Benefits ?
IT Policy Compliance ?
IT Policy Respect, Confidentiality, Trust ?
Some more questions to create document about policy:
IT Policy introduction with company environment ?
IT Policy Authorities and Compliance ?
IT Policy Applicability ?
IT Policies ? Procedure and Tasks ? Guideline ? Document Control ?
Here is small policy points to share with you from Information Systems Security Policy Handbook
POL01 Responsibility of the office of information Security
POL02 Responsibility of the information Technology Security Board
POL03 Responsibility of system owner
POL04 Responsibility of information Technology Mangers
POL05 Responsibility of System Administrators
POL06 Responsibility of Data Custodians
POL07 Responsibility of Users
POL08 Monitoring of User Accounts, Files, and Access
POL09 Administrative Access to City Information Systems
POL10 Electronics Data and Records Management
POL11 Electronics Data Breach Disclosure
POL12 Access Controls
POL13 Systems and Network Security
POL14 Physical Security
POL15 Personnel Security Measures
POL16 Policy Enforcement
POL17 Acceptable Use of City Digital Equipment, Internet Access, Electronics Communications and Other Applications
POL18 Rules Specific to Electronics Communication Usage
POL19 Patch Management
POL20 Virus Malware Protection
POL21 Remote and Ad-Hoc Connectivity
POL22 Wireless Access
POL23 Web Application Deployment
POL24 Policy Exceptions
(…Continue in ISSP Handbook)
SANS – Web Application Security Assessment Policy
Business Justification for Application Security Assessment
Disgruntled Employee – The initial physical state of data leakage