Security Standards

Information security policy provides a framework for management to implement and maintain a level of information security that is commensurate with information security risks.

Information is an asset which, like other important business assets, has value to the corporate and consequently needs to be suitably protected in reference to the management of the information security. Information security policy protects information from a wide range of threats in order to ensure business continuity and minimize business damage. Information security policy is achieved by implementing a suitable set of controls in the form of policies, procedures, organizational structures, systems and functions to ensure that the security objectives of the organization are met.

Information security policy deals with a number of important concepts. Information security policy is concerned with ensuring the information security of all information and the systems, processes and procedures relating to the management and use of the information. Information may be in hard copy or soft copy stored on various types of information media such as flash disks, compact discs, DVDs, or computer networks.

Information has varying degrees of sensitivity and criticality. A great deal of information may need no, or only very low levels of security. However, other information may be commercially sensitive and will require higher levels of security. Information assets must be classified and managed according to their security requirements and to ensure that security controls are commensurate with the security risks.

There is increasing dependence on information systems and on the exchange of information between the organizations and with business partners. This brings with it increasing exposure to security threats. Consequently, there is increasing responsibility on the corporate and on business partners to ensure that the information assets remain secure.

Information security policy applies to all corporate operations. Business Units are responsible for ensuring that their information assets are appropriately protected. All users have responsibility for the information security they utilize, and management must ensure that information security controls are properly implemented. Information security policy does not ensure security. However, the Information security policy does provide a framework and reference point for management to implement appropriate information security controls, and is a means of raising awareness of users’ responsibilities relating to information security.

The potential consequences of an Information Security breach can include the following:

1. Loss of life and injury
2. Loss of shareholder confidence and financial loss
3. Interruption of business processes
4. Loss of client confidence
5. Criminal charges
6. Brand and reputation damage
7. Litigation

General statement of Information security policy

Information and its supporting processes, systems, and networks should be available to employees (and authorized third party business partners) to enable them to optimize their performance and that of the Group. Information must be subject to an appropriate level of control to protect it from loss, unauthorized manipulation or disclosure.

Objectives of Information security policy:

1. Availability, ensuring that authorized users have access to information and its supporting processes, systems and networks when required.
2. Integrity, to safeguard the accuracy and completeness of information and associated processing methods.
3. Confidentiality, to ensure that information is accessible to only those authorized to have access.

Purpose of Information security policy

This Information security policy provides a framework for management to implement and maintain a level of information security that is commensurate with information security risks. Its purpose is to ensure that:

1. Trust between the organizations and trading partners with whom you share public and private networks are maintained.
2. Information is secure and is protected in a manner that is commensurate with its level of sensitivity and security risk.
3. Regulatory obligations are complied with, for example privacy legislation.

The following areas are those that need security guideline in regards to information security standard:

Information security policy #1: Careless talk

Careless talk means talking about business, the office, and people from work, etc where you can be overheard. It also means discussing business with people who are not authorized to know.

Read more about this careless talk in information security policy.

Information security policy #2: E-mail security guideline

E-mail is regarded as a critical component of the corporate communications system and is provided as a business tool. The security, confidentiality and integrity of E-mail cannot be guaranteed and certainly cannot be considered private. Due to this, you should act professionally and appropriately at all times. Read more about email security policy guideline.

Information security policy #3: Instant messaging guideline


Instant Messaging (IM) is a communication tool that provides for two-way communication in real-time. For the two-way communication to occur each person must use the same IM product such as ICQ, Yahoo Messenger or MSN Messenger (called Windows Messenger in Windows XP). Read more about instant messaging security policy here.

Information security policy #4: Internet policy guideline

Internet access is typically a privilege and the users are expected to act professionally and appropriately while using the Internet. What you do on the Internet can be monitored internally / externally and your actions can be traced back to the computer you are using. Read more about internet security standard guideline here.

Information security policy #5: Laptop security guideline

Laptops are very valuable organizational assets because they contain many work files that are important to the corporate and may contain sensitive business information, which must be protected at all times. Read more about laptops security standards guideline here.

Information security policy #6: office security guideline

The corporate business premises and office areas have a variety of physical security controls in place, however staff should be vigilant at all times. Read more about office security standards guideline here.

Information security policy #7: Password security guideline

User ID, password and/or token provides you with access to information on the corporate computer systems, that only you should have access to, based on the Need to Know Principle. Read more about password security standard guideline here.

Information security policy #8: Secure media handling

The easiest way to dispose of media such as a disk or CD/DVD is to put it into a special place which should be marked as Security Media container (typically with a red lid). However, if the contents on the disk or CD/DVD are highly sensitive, you should destroy. Read more about secure media handling here.

Information security policy #9: Spam security Guideline

Most of you would receive physical junk mail (adverts, brochures etc) in your mailbox at home. Spam is the electronic equivalent; however there are some differences between the hardcopy version of junk mail and the email version. Read more about spam security standard guideline here.

Information security policy #10: Virus security

If you think you’re totally safe from computer virus infection because of the antivirus scanning programs installed on the corporate IT systems – think again. Read this virus security standards guideline here.

Check also:

• Sample risk assessment
• Business continuity and disaster recovery
• Security essentials
• Firewall management

The management consultant

Search More Information Here: