Explore BrainMass

Information Security and Ethics: Protection Policies and Procedures

Taking care of information falls to those who own the information to develop ethical guidelines about how to manage it. Treating sensitive corporate information as a valuable resource is good management. Building a corporate culture based on ethical principles that employees can understand and implement is responsible management. Organizations should develop written policies establishing employee guidelines, procedures, and organizational rules for information.

E-policies typically include: Ethical computer use policy, Information privacy policy, Acceptable use policy, email privacy policy, Internet use policy, and Anti-spam policy.

What are security policies or e-policies? Explain three security policies that you would primarily recommend to an organization to have as a minimum and why? How security policies should be implemented in organizations?

Solution Preview

(1) What are security policies or e-policies?

The security policies or e-policies state in writing how the company will protect its information technology assets. This policy is continuously updated as technology, employees and threats change. The policy will include a section on how the company plans to inform its employees about protecting information related assets. There will also be a section that describes how the effectiveness of the security policy will be evaluated. Security policies protect the firm from breach of security. It is an important part of the operations of the information systems. Currently, it is advisable that information security requirements comply with ISO17799 security standard. The security policy lists administrative controls such as corporate security policy, and password policy. The policy contains different security controls for each classification of information. For example, role based access controls are used in database management systems.

In a large organization the security policy has provisions for the appointment of the chief information security officer. His role is defined. This position is distinct and different from that of the Systems Administrator. The security policies or e-policies include policies for information classification, contingency planning, and physical safety. There are policies related to communication and connectivity. These include rules applicable when the system is connected to internet, vulnerability scanning, and network management. The security measures applicable to external connections, security of e-mail, and wireless networks are also listed. Currently, the policies have a section on the use of smart phones, and electronic signatures.

An important aspect of security policies or e-policies is user registration and management. Access control forms an important aspect of security policies or e-policies. In a large organization there ...

Solution Summary

The answer to this problem explains the protection methods of information related assets. Two references related to the answer are also included.