Like other valuable business assets, information must be regarded as an asset too which is valuable to the organization and need a suitable protection against any types of threats. The threats are not just from the internet, but you know that nearly over 50% all security breaches occur from the insiders.
Information security is achieved by implementing a suitable set of controls in the form of policies, procedures, organizational structures, systems and functions to ensure that the security objectives of the organization are met. Information Security deals with a number of important concepts by ensuring the security of all information and the systems, processes and procedures relating to the management and use of the information.
Information security does not ensure security. However, the information security does provide a framework and reference point for management to implement appropriate information security controls, and is a means of raising awareness of users’ responsibilities relating to information security.
Objectives of information security are known as CIA:
1. Confidentiality: To ensure that information is accessible to only those authorized users to have access.
2. Availability: To ensure that authorized users have access to information and its supporting processes, systems and networks when required.
3. Integrity: To safeguard the accuracy and completeness of information and associated processing methods.
The management of the information security will include the following areas that need the guidelines or policies.
1. Careless talk
Careless Talk is talking about business, the office, and people from work, etc where you can be overheard, or discussing business with people who are not authorized to know. Careless talk also means providing sensitive information inadvertently to someone who wants it for a specific purpose such as breaking into the corporate premises or computer systems. This is called Social Engineering.
2. Email security guideline
Email is a critical business tool for an organization communication system. The security, confidentiality and integrity of Email cannot be guaranteed and certainly cannot be considered private. Due to this, you should act professionally and appropriately at all times. If you need to send information that is sensitive or confidential and you cannot guarantee the email security, consider another method of sending this information, unless you have approved encryption.
3. Instant messaging guideline
Internet users are familiar with IM – Instant Messaging which is a common communication tool that provides for two-way communication in real-time. The security and the integrity of IM cannot be guaranteed. So, it is not wise to discuss sensitive business or private and personal details using Instant Messaging.
4. Internet policy guideline
Internet access should not be granted to all level of users in the organization. The users are expected to act professionally and appropriately while using the Internet. What the users do on the internet can be monitored internally / externally and these actions can be traced back to the computer used. The policy and or guidelines for this area should be developed to support the business.
5. Laptop security guideline
All the organizations have the laptops to support their mobile workforce. As valuable organizational assets, the laptops contain many work files and sensitive business information which must be protected all the times.
6. Office security guideline
The corporate business premises and office areas have a variety of physical security controls in place, however staff should be vigilant at all times. The security guidelines should be developed to manage the strangers in workplace, the assets, clear desk, always screen-lock, secure faxing and photocopying, and assure the virus scanning.
7. Password security guideline
A good password is something that cannot be easily guessed such as a mixture of upper/lower case, 8 character minimum, and so on. Knowing common passwords that are easy to guess is a good thing in password security guidelines. An easy to guess password is a word that you have chosen that is related to something that is commonly known about someone or could be easily ascertained.
8. Secure media handling
All the media that need to be thrown away must be destroyed securely. Media contains organization information that should not be accessed by unauthorized people. A guideline to handle the media securely should be developed.
9. Spam security
Email spam is always annoying to everyone who receives it which often contains pornography, and other offensive advertisements unsolicited. A regulation or a guideline, or a policy should also be developed as an anti-spam tool.
10. Virus security
If you think you’re totally safe from virus infection because of the antivirus scanning programs installed on the corporate IT systems – think again. Hundreds or maybe thousands of new viruses and worms are introduced into the ‘wild’ every week.