Proper protection of data assembled and recorded in an organization is a core factor for the prosperity and safety of the organization. With the introduction of the Internet in business environment, the technicality of accessing as well as disseminating information has been made easy but generated more challenges at the same time especially with the rise in the number cyber criminals.
This aspect makes the current business environment extremely flimsy. The best way to manage and prevent such incidents is to formulate effective data security strategies. Protected communication helps both the organization and its clients to gain from the resources provided by the Internet.
This understanding underscores the importance of having proper cyber security in an organization. This paper will discuss the procedures of establishing relevant Internet security policies by identifying and describing the procedures, as well as recommending possible solutions to the challenges that arise in the process.
What is a Cyber Security Policy?
To define what cyber security policy it is necessary to explain what the term security policy implies. Security policy is a strategy that lists the most vital assets of an organization and guidelines on how they are to be safeguarded.
The main reason for formulating the document is to inform the employees with a transitory summary of the standard rules of how to handle information assets, illegal, and legal practices, hence involving them in protecting the sensitive documents of the organization.
It is mandatory for any staff member, who intends to access resources that have been classified as vulnerable targets, to refer to the security policies before using the resources (Shoemaker & Conklin, 2011).
A decent security policy should incorporate a number of elements. It must elaborate how confidential documents should be handled and stipulate techniques of maintaining a strong password. Furthermore, it should inform the staff on the steps they should adhere to in case an incursion transpires (Shoemaker & Conklin, 2011). It should also ensure that the Internet connectivity is protected as the company e-mail system.
The major purpose for establishing security guidelines is to set an organization’s data security standard and describe the role of employees in safeguarding the documents of the firm, as well as the significance of a protected communication when using the Internet for transacting business. Therefore, cyber security policies mainly focus on the protection policies that safeguard the organization from malicious attackers via the Internet (Shoemaker & Conklin, 2011).
Procedure for Creating Cyber Security Policy
Risk Assessment
The initial step for creating a security policy demands for the assessment of the organization’s network and all the vital resources, so that suitable actions can be executed well. The process begins with disclosing the organization’s sensitive data resources. This initial stage is referred to as risk assessment.
Risk assessment is the practice of revealing the vital records of the organization as well the role they play. In this stage, the company identifies the information they intend to conceal and individuals to whom this data will be hidden from coupled with the technique the company will apply to safeguard such information (Bayuk, et al., 2012).
For the company to perform an effective risk assessment, those responsible for this process must be conversant with how the organization conducts its activities.
They should also prioritize the data, select the most essential elements, and identify what factors would cause the insecurity of such documents. Moreover, they should identify all the resources that are critical for the company’s performance. Some of these assets may include web servers, application servers, and several projects in progress.
By the end of this stage, the organization should now be aware of the danger it is exposed to by having obsolete software, and the consequences of employees installing file sharing software like E-Donkey, Instant Messaging software, and other entertainment applications provided by anonymous sources.
Risk Management
After completing a proper assessment of the risks vulnerable to the organization, the institution should now formulate ideas on how to control these dangers. This process is achieved through a software awareness program (Bayuk, et al., 2012). The main intention of this program is to describe and highlight the duty of every staff member in protecting the vital assets. The program has two sections, viz. training and awareness.
After identifying the purpose of the program, the organization must then estimate the degree of the staff security awareness, and then determine if some employees should be taken through a computer course to improve their computer skills. Once the organization has successfully mapped out how to educate the staff, it then proceeds to outline the techniques of managing the susceptible threats (Bayuk, et al., 2012).
System Access
The employees must have adequate knowledge on how they can conceal their passwords from outsiders. Password is particularly critical because it determines the level of protection of any system. The staff must know that their User IDs should never be revealed to anyone including the executives and members of the Information Security Office. This suggests that, during the implementation of the policy, no one can threaten the staff to disclose the password.
Moreover, the password should not be written on any notice board or white board; instead, staff must memorize it to prevent access of the password in case of a break-in. The passwords must be strong enough such that no cracking software can recover them. A strong password has a minimum of seven characters.
The characters are a combination of lower and uppercase letters, figures, and symbols like punctuation marks. It is also wrong for all computers to use a single password for several applications because if the password is retrievable, then all the other computers would be affected (Muir & Criddle, 2011).
Web Browsing
Web browsing can have detrimental effects on the entire company if not handled discreetly. While surfing on the web, the staff can easily access inimical scripts that once downloaded; they can damage the computer. This scenario can happen simply because the staff member used an invalid web browser.
The security policy should inform the staff about the prohibited and legal sites. For instance, employees must know that Java as well as Active X should always be disabled when browsing. The policy should underscore the fact that pornographic and betting sites should never be accessed under any circumstance. Furthermore, the staff must know that any website that causes flooding to the network should be avoided.
E-mail and Instant Messaging
Unfortunately, one of the most vulnerable communication channels to malicious attackers is the e-mail system, because it is always revealed to everyone, ranging from potential clients to potential attackers. Therefore, a company must install verified malicious code security software for every mail gateways (Furnell & Downland, 2010). This software senses and removes most popular perilous files as well as intimidating messages.
The security policies should outline standard e-mail practices. Before reading any attachments received via e-mail, they have to be scanned and the sender contacted to verify the security of the attachment. The policy should prohibit the running of programs received as attachments. The organization’s e-mail accounts should never be used for communication in web forums (Furnell & Downland, 2010).
Furthermore, no staff member should be permitted to use the e-mail account to transact a personal business. Information Security Officer should always be consulted before accessing chain letters or sending any of the organization’s details to a stranger. A proper observation of such policies can protect the company from cyber theft.
Moreover, some workers use Instant Messaging (IM) to socialize with the outside world unaware of the dangers they are exposed to in the process. One can easily be exploited by simply using an outdated buggy version. The staff should always be extremely discreet when sharing information via IM irrespective of the relationship between the parties involved for the individual on the outside may intend to distribute some dangerous Trojans (Furnell & Downland, 2010).
Virus Protection
Trojans have a damaging effect on a company’s data system. When establishing an Internet security policy, the organization must ensure that it informs the staff of the dangers that viruses cause to a computer coupled with how they can identify and eliminate a virus that infects the data system. Moreover, the policy should explain the type of antivirus the organization uses as well as how often it will be updated (Gregory, 2011).
Incident Management
The security policy should outline the recommended Internet practices. Furthermore, the organization should formulate rules to ensure effective supervision of employees as they go online (Muir & Criddle, 2011). There should be clear procedures to be followed when disciplining employees who contravene the rules.
Notably, there should be clear guidelines to observe in the event that there is an intrusion into the sensitive information. The staff must know the person tasked with the duty of handling such intrusion in a bid to reduce the extent that an infiltration may have to the company.
Revision of the Policy
After the assessing the risks, setting the management policies and actions to be taken against workers who violate the policies, the organization then proceed to the stage of revision. This stage is a critical step because it helps in rectifying any existing mistakes so that the policy may be durable. The organization must assess a number of factors before launching the security policy.
The cyber security policy should highlight the role of every worker in guarding the sensitive and confidential records to minimize incidents of misunderstanding.
The policy must state what is under protection and why there is a need to secure it. The document must be brief, precise, and not more than two pages. Furthermore, the organization must disclose why it is creating the security policy, whether it is for the entire company or just a single department. It should convince the employees why maintaining security will benefit both the organization and the workers. Once these matters are addressed, the organization can go ahead and implement the policy.
Challenges and Solutions of Formulating and Implementing a Cyber Security Policy
Establishing a cyber-security policy is always hectic considering the challenges that the company has to face throughout the process. Some Information Security Officers may be incompetent to the extent of establishing an outdated security policy.
The workers may also decide not to cooperate with the administration in the formulation of policies. Furthermore, during the implementation of security policies, there may be unceasing conflict with the employees because of their illiteracy on issues pertaining to information security. The organization may also have inadequate finances to fund the implementation of the policy, for instance purchasing and updating antivirus software.
If administrators want to create and execute a successful security policy, they must be ready to overcome these barriers. The executives should always consult workers when formulating such rules. They should also seek assistance from computer experts to have standard security policy.
The workers should be taken through a computer course so that they can detect and handle problems that might arise when using the Internet. Moreover, the organization should include information security as a matter for deliberation when drawing their budget in a bid to prevent cases of lack of finance throughout the process of safeguarding the critical documents.
Conclusion
The prosperity and safety of any organization relies on how much safe its information is kept and maintained. Data security begins with the creation of a security policy, which also includes cyber safety. The security policy should be integrated to describe what is permitted as well as what is illegal.
Though there may be challenges in the implementation process of the policies, managers must be committed to monitoring the Internet risks and training the workers on security issues as well as disciplining those who are found guilty of violating any of the rules. New technological developments and malicious attackers acquire new ideas daily; therefore, organizations must be ready to adjust to these dynamics to secure their records from the outside world.
References
Bayuk, L., Healey, J., Rohmeyer, P., Sachs, M., Schmidt, J., &Weiss, J. (2012). Cyber Security Policy Guidebook. New Jersey, NJ: John Wiley and Sons.
Furnell, S., & Downland, P. (2010). E-mail Security: A Pocket Guide. United Kingdom, UK: IT Governance Ltd.
Gregory, P. (2011). Computer Viruses for Dummies. Indiana: John Wiley & Sons.
Muir, N., & Criddle, L. (2011). Using the Internet Safely For Seniors for Dummies. Indiana: John Wiley & Sons.
Shoemaker, D., & Conklin, W. A. (2011). Cybersecurity: The Essential Body of Knowledge. Massachusetts: Cengage Learning.