The Role of Information Security Policy Essay

The framework for an organization’s information security program is composed of policies and their respective standards and procedures. This article will examine the relationship between policies, standards, and procedures and the roles they play in an organization’s information security program. In addition, the roles that of individuals inside and outside of the organization with respect to the creation of policy and standards will be discussed. Finally, how an organization can meet information security need at each level of security and how this relates to the information security policy (ISP) content. Information Security Policy (ISP)


Policies form the foundation of everything an organization is and does. Likewise, an ISP is the beginning of a company’s information security program. A policy is a high-level plan on how an organization intends to respond to certain issues. An ISP sets the tone of the organizations information security program and establishes the will and intent of the company in all information security matters. The ISP also defines how the company will regulate its employees. Policies must support an organization’s objectives and promote the organization’s success. Policies must never be illegal and must be defensible in a court of law. Policies must be supported and administered fairly and consistently throughout the organization (Whitman & Mattford, 2010). The following paragraphs list some tips for developing and implementing an ISP.

A Clear Purpose

It is essential that an ISP have a clearly defined purpose. Specific objective should guide the creation of the ISP and the purpose should articulate exactly what the policy is to accomplish (McConnell, 2002). McConnell (2002) further notes that, “If you cannot explain why the policy exists, you cannot expect your employees to understand it or follow it” (p. 2).

Employee Input

In developing policies, it is a good idea to gain the input of the employees to which the policy will apply. Ideally, there should be at least one representative from each department. Allowing various employees give input to the policy, will help to ensure that nothing is overlooked and that the policy is easily understood (McConnell, 2002).

Security Awareness and Training Program

In addition to gaining the employee’s acknowledgement of the ISP at their orientation, the ISP should be part of the security awareness and training program. Ongoing awareness training can focus on various security policies (McConnell, 2002). It is important to keep the awareness of information security matters fresh in the minds of the employees to avoid complacent behaviors that may lead to serious violations.


Enforcement is critical to the success of any policy; policies that are not enforced are soon ignored. McConnell (2002) notes, “A policy that you are unable or unwilling to enforce is useless” (p. 2). If a policy is unenforceable, it should be removed or revised to the point where it is enforceable. Not only must a policy be enforceable, it must be enforced from the top down. When managers set the example, the rest of the staff are more likely to follow (McConnell, 2002).


While policy sets the overall plan or intent of the organization in regards to information security, standards define the specific elements required to comply with policy. For example, an acceptable usage policy may prohibit employees from visiting inappropriate websites; the standard defines what websites are considered inappropriate (Whitman & Mattford, 2010). Standards may be developed in house, but the common preferred way is to utilize already established industry standards that can then be tailored to the organization’s specific needs.


Procedures are the step-by-step actions necessary to comply with the policy. Procedures are driven by standards that are governed by policy (Whitman & Mattford, 2010). Most policy violations may be traced back to either a willful or negligent failure to follow procedures.


Senior Management

Senior management initiates the need for policy creation; it is their intent and purpose that the policy is created to communicate. Senior management is the final authority and gives the final approval for the policy.

Read also  Psychological Barriers in Communication

Information Security Officer (ISO)

The ISO is essentially the policies champion overseeing all aspects of the ISP and the agent reporting to senior management. The ISO creates a governance committee that works together to develop and update policy. The ISO oversees organizational compliance with security policies (California Office of Information Security and Privacy Protection, 2008).

IT Staff

The information technology (IT) staff is responsible for installing and maintaining the technical controls to ensure users are compliant with the security policies. For example, the IT staff may install software that blocks access to prohibited websites. The IT staff also conducts monitoring of employee activity on the company network.


Mangers, as already stated, must lead by example. When managers do not follow and enforce policies, it communicates to the employees that policies are not important and that following them is optional. A body will always follow its head; likewise a department will always follow the example of its managers.

End Users

The average end user is perhaps the greatest security asset and the greatest security threat; clear security policies and proper security awareness training are the deciding factors. People should be made aware of common security threats such as social engineering attacks and the importance of safeguarding their password information. They should be trained to understand exactly what the organization expects form them in regards to information security (Whitman & Mattford, 2010).

External Agents

There may be times when outside people may need to have access to an organizations network such vendors, consultants, and temporary employees. Such people should be required to sign an acknowledgement form agreeing to abide by all security policies, standards, and procedures.

Security Levels

The Bulls-eye Model

The bulls-eye model is a way of tailoring the ISP to the needs of the organization at various security levels. The four levels of the bulls-eye are: policies, networks, systems, and applications (Whitman & Mattford, 2010). Whitman and Mattford (2010) state, “In this model, issues are addressed by moving from the general to the specific, always starting with policy” (p. 120).


AN information security policy, as already discussed, sets the foundation for an organization’s information security program (Ungerman, 2005). While all policies are high-level, there are different levels that a policy may address. The enterprise information security policy (EISP) is the overall policy that encompasses all other information security policies within the organization. Issue specific security policies (ISSP) target specific issues and contain more low-level elements than the EISP. An example of an ISSP is an acceptable use policy (SUP). Finally, there are system specific security policies (SysSP). A SysSP is so low-levelthat it may appear more like a procedure than a policy. A SysSP through either managerial guidance or technical specifications defines system-specific controls needed to conform to an ISSP. An example of an SysSP would be the implementation of website filtering software to enforce the company’s AUP (Whitman & Mattford, 2010).


Network-level security is about securing the network and as such is heavily focused on controlling access through user authentication. EISP may define who may access the network in addition to how and why. An ISSP may then specify what type of authentication and access control models may be used. SysSPs can then proscribe technical specifications, such as software requiring a periodic password change, to facilitate compliance with the ISSP (Whitman & Mattford, 2010).


System-level security is concerned with securing the actual system components of the network such as the computers, printers, and servers. Examples of ISSPs at the system level are AUP, password policies, and policies prohibiting the installation of unapproved hardware and software by end users (Whitman & Mattford, 2010).


Application-level security deals with any type of application form out-of –the-box software like MS Office to enterprise resource planners (ERP) like SAP. Policy considerations here would be controlling user access and application update policy. Policy controls who has access to which applications and to which features (Whitman & Mattford, 2010).

Read also  The Information Superhighway



California Office of Information Security and Privacy Protection. (2008, April). Guide for the Role and Responsibilities of an Information Security Officer Within State Government. Retrieved from McConnell, K. D. (2002). How to Develop Good Security Policies and Tips on Assessment and Enforcement. Retrieved from Ungerman, M. (2005). Creating and Enforcing an Effective Information Security Policy. Retrieved from Whitman, M., & Mattford, H. (2010). Management of Information Security (3rd ed.). Mason, OH: Cengage Learning. Retrived from The University of Phoenix eBook Collection database.

More Essays

  • Risk or Potential Threat

    Every organization is faced with some risk or potential threat that could cause an interruption to the organization's operations. These risks and threats can come from within or outside of the organization. To prepare for the worst that could happen, organizations must focus their attention on how to assess...

  • How Information Flows Within an Organization

    Information Flow Must Be Relevant and Specific Although there exists an age-old saying "too much information is never enough," specific need must be established in order to disseminate information properly. Without specific guidelines, information flood inhibits the ability to tailor the data for use and...

  • Bis220 Information Systems Proposal

    Dear collegue as we embark on this adventure of starting our own Records Company, there are some things that we need to become familiar with in order to be successful. We need to get acquainted and become knowleageable with some of the different Information Systems that will help our compny be a successful...

  • Information Lifecycle Management

    Industries and organizations thrive on "Information". The effective use of information so that it is aligned to meet the business demands is therefore a very crucial essential. The millions of bytes of data, requires not only effective storage but processes which handle the data right from creation and...

  • Information Policy and Governance

    Besides the security loopholes and privacy demands from information providers and users, there are various issues that have drawn the attention of information management from the novice systems to advanced information management systems. Policies, in the management worlds have been used as guidelines...

  • Information Security

    The secrets of an organization are protected from competitors. Vital information to a business is protected from competitors by establishing a strong system of internal controls. Protecting the information relating to the operations of a business reduces losses to the business. Poor information security...

  • Information System Theory

    Information system theory describes about the theoretical knowledge of computer sciences. It is system that process the knowledge related to a particular study. The information system theories effectively contribute in creating, building, compiling, organizing and transferring data into the information to...

  • How Fedex Works _ Enterprise Systems

    1. List the business processes displayed in the video. A business process is a procedure that systematizes the organization and company policy in order to achieve some of the goals of the company. A procedure is a series of tasks to be imposed. A procedure generally meets the requirements that are not to...

  • Information Security Authentication Program for Moonshine Mining

    Moonshine mining deals with the mining business related to diamond, sapphire, gold etc. Moonshine mining maintains all its intellectual properties and other important documents in 3 internal servers in Perth head office. This information is very confidential to the moon shining. This information should be...

  • Checkpoint the Information Systems Department

    The Information Systems Department's goal is to manage a company's information through safe, secure and resourceful methods that can be accessed easily from anywhere inside the company. The Information Systems Department manages a wide variety of company information; everything from software, computers,...

The Role of Information Security Policy Essay

The failure of organizations to implement a comprehensive and robust information security program can mean the untimely demise for some and costly setbacks for others. At the heart of information security is security policy. Without security policy there can be no security program. Without people, security policies would not exist. They would not be written, implemented, and enforced. Security policies and the adoption of standards provide many benefits as shall be discussed in this paper. Further is discussed how information in systems often falls under different classifications to reflect a degree of sensitivity and how this relates to an organization’s security policy. 1.0 Security Policy and Standards. See more: My parents my role model.

1.1 Defining Information Security Policy

Conklin et al (2012, “Information Security Policy”) states, “policy is the essential foundation of an effective security program,” and “the centrality of information security policies to virtually everything that happens in the information security field is increasingly evident.” defines security policy as “a document that outlines the rules, laws, and practices for computer network access” (2013, “Security Policy”). The document regulates how an organization will manage, protect, and distribute its sensitive information. Information security policy addresses many issues such as the following: disclosure, integrity, and availability concerns; who may access what information in what manner; maximized sharing versus least privilege; separation of duties; and who controls and who owns the information.

1.2 Defining Information Security Standards

Standards are recommended or imposed practices that should or must be followed. The website (2013, “Standards”) defines standards as “written definition, limit, or rule, approved and monitored for compliance by an authoritative agency or professional or recognized body as a minimum acceptable benchmark.” Government agencies and organizations publish standards as guidelines and best practices so that other organizations can follow suit and ensure they are implementing and maintaining an adequate level of security and controls. Some standards are mandatory. Federal regulations require compliance with these types of standards under penalty of law. Examples include: Payment Card Industry (PCI) standards, Sarbanes-Oxley, Gramm-Leach-Bliley, and HIPAA.

1.3 The Importance of Information Security Policy and Standards

In essence, information security policies govern the protection of information. The benefits of information security policy include: * Minimization of data leak or loss.

* Protecting the organization from malicious internal and external users. * Setting of guidelines, best practices of use, and ensuring proper compliance. * Announces internally and externally that information is an asset, the property of the organization, and is to be protected from unauthorized access, modification, disclosure, and destruction. * Promoting a proactive as opposed to a reactive stance for the organization. Policies define allowed and disallowed behavior. More importantly, policies are explanatory when written so as to be understood by everyone in the organization and properly disseminated. To be effective, security policy needs to be visibly and uniformly practiced. Organizations should not need to be prodded to provide an adequate level of security to protect sensitive information.

Information is one of an organization’s most valuable assets. Unfortunately, many companies still do not understand the importance of allocating enough resources toward developing an information security blueprint. Time and time again these companies are punished for mishandling information. The importance of information security standards is to help organizations provide adequate security programs to protect their systems and sensitive information. It is important to protect information systems from threat and it is especially important to protect the private information of customers. In the eyes of customers, failure to protect their information is a violation of trust.

Read also  Sample Research Paper

Responsible parties will have their reputations diminished and be held accountable for damages or loss. A kind of benchmarking is following the recommended practices of other organizations or industry standards (Conklin et al, 2012″ Security Management Models”). In this way organizations can adopt practices that are already proven to work. Federal regulations give the push some organizations need to implement and maintain adequate information security control levels. Mandatory audits help keep these organizations “honest” and in compliance.

2.0 The Role of Employees in Policy

Security policy comes down from the top. The enterprise information security policy (EISP) is a high-level document “drafted by the chief information security officer (CISO) in consultation with the chief information officer (CIO) and other executives” (Conklin et al, 2012, “Information Security Policy”). Security information policy, however, has an effect on everyone in the organization. Policies have to be uniformly applied to be effective. If management fails to support policy, the policy is typically ignored.

Employees often try to circumvent policy. People are generally resistant to rules and regulations that tell them what to do. The role of security education, training and awareness (SETA) is important in helping end users or employees understand security policy. When taken the time to educate and include employees in business decisions and processes, they are often more willing to abide by rules and even be proactive in defending them.

Security breaches often occur because of employee accident or inattentiveness. SETA helps mitigate this type of risk through education and training. Employees become more actively aware of situations that result in security breaches, such as tailgating and other tactics like social engineering attacks.

3.0 Security Levels and Policy

“An information security classification system is one of the critical components of good information security” (Office of the Chief Information Officer Province of British Columbia, 2010). Security levels pertain to access restrictions. Information can have various degrees of sensitivity. In other words some information must be better protected than other types of information.

Different levels of security are assigned for different data sensitivity levels or information classifications. The Bell-LaPadula security model reflects a multilevel security system based on data classification and security clearances. Such levels may include data classifications such as top secret, secret, confidential, sensitive but unclassified, and unclassified. Security policies such as a data classification and handling policy establish a framework for classifying and handling data based on its level of sensitivity. The classification of data aids in determining baseline security controls for the protection of the data.


Conklin, W. A., White, G., Williams, D., Davis, R., & Cothren, C. (2012). Principles of computer security: CompTIA Security+™ and beyond (3rd ed.). New York, NY: McGraw Hill. Office of the Chief Information Officer Province of British Columbia. (2010). Information Security Classification Framework. Retrieved from Security Policy. (2013). Retrieved from Standards. (2013). Retrieved from

More Essays

  • Virology Case

    What ways do viral illnesses spread and How can we protect ourselves from these illnesses Have you ever got coughed on and then the next day you are at home in your bed resting because you got sick. Well, everyone probably knows what I am talking about and got sick this way at least once in their life time....

  • Economic Implications on Social Media

    The developments in the information technology sector have led to facilitation in information sharing across the globe in what has been referred to as social media. The internet has brought many changes in the way individuals across the world interact. Through the use of social media, individuals are able...

  • Marx’s Theory of Alienation

    Marx used the ‘theory of alienation" to expose what he claimed as a highly exploitative, unfair social relationship existing in a capitalist system which effectively divides society into two opposing groups. He argued that this unfair social relationship came into being because of the "concept of private...

  • Understanding Health and Safety in Social Care Settings

    Understand the different responsibility's relating to health and safety in social care setting… Identify legislation relating to health and safety in a social care setting The legislations that cover health and safety are health and safety at work act 1974 Management of health and safety act at work...

  • Global Media and Representation

    In this age of globalization individuals can easily communicate irrespective of their national or even international boundaries. This has been made easy by the use of innovative communication technology which breaks geographical barriers. This can be done effectively through online communication and the use...

  • Literature Review _ Awareness of Public in Selecting Local Leaders

    Selections of the local leaders grab a highly attention to many local residents and peoples. This proved that participation of the population in selections of their leaders is an increasingly as common event nowadays. According to Alexander D (2007), state that the phenomenon also happened in country such...

  • Heart Healthy Information Security Policy

    Due to personnel, policy and system changes, and audits, Heart Healthy has voluntarily updated their information security policy to be in-line with the current information security laws and regulations. Currently Heart-Healthy Insurance, a large insurance company, plans to review and provide recommendations...

  • Marxism, Crime and Deviant Behaviour

    When looking into the sociology of crime and deviance it is near impossible to avoid countless references back to Marxism, a theory which looks at society from a conflict perspective. * This particular theory argues that the ruling classes which we have come to know as the bourgeoisie use the agencies of...

  • The Benefits of Vaccinations

    I.Introduction Audience Hook: In the early 50's polio paralyzed thousands, in the early 40's Pertussis (whooping cough) caused 8000 deaths and there were millions of reported cases of measles before 1963. Thanks to immunization, the numbers of cases reported have declined tremendously and in some diseases,...

  • Social Media Sabotaging or Helping Real Communication

    In a society where social media is growing daily and becoming our main source of communication, we often find ourselves thinking about what social media is actually doing for us. Is it helping us create something new and amazing (like talking to multiple people from all around the world simultaneously on...

Read also  Introduction to Communication in Health