Introduction
Since its inception, the Internet has experienced threats in its underlying communications network and nodes, protocols, network administration as well as host systems.
These threats have repeatedly been located in the security mechanisms of the hosts (Doddrell, 1995, Highland, 1996), examples being the capacity to obtain unauthorized private access, and the aptitude to gain unauthorized access to passwords. Furthermore, the commercial usage of the Internet has introduced new threats, such as the interception of data in transit by competitors or criminals.
Hackers, competitors, disgruntled employees and ex-employees have been exploiting Internet threats (Doddrell, 1995), forcing banks to recognize the changed nature of the Internet environment from uncompetitive and trustworthy to competitive and hostile. There is also increasing fear within the banking sectors over threats emanating from their own, trusted employees.
In other words, banks and other organizations are not only exposed to Internet threats from outside their boundaries, but also represent threats to other internet users. This rather new Internet security problem for organizations demands solutions in the form of different security policies, procedures and mechanisms.
This paper will discuss acquired expertise, judgment and maturity on the subject of cyber/information security, as well as Internet security policy and associated procedures which convey security guidance and rules to an organization and its employees.
Organization’s policy on the use of corporate digital resources
The networking of distributed data and documents requires the interoperability of systems and services, which in turn require standards. In the development of an Internet security policy for a bank, it is essential that the risks to the organization arising from the Internet connection be addressed.
This requires the detection of pertinent risks, followed by a prioritization of the risks by the use of a risk assessment (Gollmann, 1999). Banks need to implement holistic perspectives in any solution to information security (Hartmann, 1995; Hitchings, 1995; Lichtenstein, 1996; Yngstrom, 1995), and for this reason, their Internet security policies should include administrative, human and technical Internet security considerations.
Though, organizations have largely disregarded the need for Internet security policy. This may be partly because of the limited guidance which has been available for the development and definition of such policy.
In line with this, the framework for an organization’s Internet security policy must considers the Internet risks experienced by the organization, and features a holistic approach to development. Use of the framework will allow the production of well-structured, comprehensive and effective Internet security policies for the organizations (Engestrom, 2000).
Internet Security Policies
Various Internet security policies for banks exist; for example, the NASA Internet Acceptable Usage Policy (NASA, 1996). Though, current bank policies appear to be acceptable usage policies, or information protection policies, the following six sub policies form part of an organization’s Internet security policy:
- Enterprise Internet acceptable usage policy
- Employee Internet acceptable usage policy
- Internet information protection policy
- Internet information publication policy
- Internet information access policy
- Internet employee privacy protection policy
Each of these is summarized below:
Enterprise Internet acceptable usage policy: This policy should contain guidelines for the organization indicating acceptable and unacceptable uses of their Internet connection
Employee Internet acceptable usage policy: This policy should contain the security responsibilities for individual employees, and the acceptable and unacceptable purposes for which the employees may use the organization’s Internet connection.
Internet information protection policy: This policy should contain guidelines for the protection of the organization’s information resources from risks emanating from other Internet participants.
Internet information publication policy: This policy should contain guidelines for the division, allocation, electronic publication, and dissemination of information via the Internet.
Internet information access policy: This policy should contain guidelines for allowing and disallowing access to an organization’s information resources via the Internet.
Internet employee privacy protection policy: This policy should contain guidelines for providing an organization’s employees with privacy protection from other Internet participants.
Conclusion
Standards and practices for interoperability of digital information in the banking sector must incorporate the means to authenticate senders, receivers, sources, data, and documents, and to determine copyright and access permissions (Baskerville, 1988).
Finding ways to address these requirements while facilitating open access to information ease of use, and adaptation to local practices is among the grander challenges of constructing an information infrastructure (Agree, 2003). With the implementation of empirical data indicating current and planned activity in Internet security policy within organizations, it is obvious that success can be achieved.
Reference List
Agree, P. E. (2003). Information and institutional change: The case of digital libraries. Cambridge, MA: MIT Press.
Baskerville, R. (1988). Designing Information Systems Security. Hoboken, New Jersey: John Wiley & Sons.
Doddrell, G. R. (1995). “Information security and the Internet”. Information Management & Computer Security, 3(4), 15-19. doi: 10.1108/09685229510123629
Engestrom, Y. (2000). Activity theory as a framework for analyzing and redesigning work. Ergonomics, 43(7), 960-974. Web.
Gollmann, D. (1999). Computer Security. Hoboken, New Jersey: John Wiley and Sons.
Hartmann, A. (1995). Comprehensive information technology security: A new approach to respond ethical and social issues surrounding information security in the 21st Century. Eleventh International Conference on Information Security, 13(2), 100-220. Web.
Highland, H. J. (1996). Random bits & bytes & bytes. Computers & Security 16(1), 4-13. Web.
Hitchings, J. (1995). Achieving an integrated design: The way forward for information security. Eleventh International Conference on Information Security, 13(2), 100-220. Web.
Lichtenstein, S. (1996). Information security principles: a holistic view. Melbourne, Australia: Monash University Press.
NASA. (1996). NASA Internet acceptable usage policy. Technical report, 14(8), 220. Web.
OECD. (1992). Guidelines for the security of Information systems. OECD/GD, 190(92), 166. Web.
Yngstrom, L. (1996). A Systemic-Holistic Approach to Academic Programmes in IT Security. Eleventh International Conference on Information Security, 13(2), 220. Web.