Introduction
An information security policy is a document that is designed by an organization for the purpose of providing employees with best practices when it comes to the use of the organizations technology equipment and related services.
It may also be regarded as a blue print used by an organization to ensure that staff use the available technology services as intended. An information security policy is also a tool through which an organization can specify the responsibilities of different individuals concerning the security of information in the organization.
It gives a framework for maintenance and provides information security policies and procedures as well as what is expected of end users (Whitman & Mattord, 2010). Generally, the information security policy document is a useful guide for the successful deployment of an information security program across an organization.
The information security policy must directly support an organization’s vision and mission statements. It must also be defensible in case legal challenges to it arise. It is an executive level document, drafted in consultation with the CIO and other executives.
Typically, the information security policy shapes the security philosophy in an organization’s information technology environment. In most cases, the information security policy is a static document that is never subjected to frequent changes. However, it may change when the direction being taken by an organization radically changes.
The information security policy will also protect the availability, integrity, confidentiality, and authenticity of information. Furthermore, it underpins such societal goods as privacy, the protection of digital identity, and the protection of intellectual property.
This paper presents an information security policy for Kruger Exporters, an international exporter based in the United States of America. The company has its headquarters in the United States but with a presence in Africa and Asia.
All transactions are centrally administered at the U.S. office. The information security policy fro Kruger Exporters is presented in two distinct sections.
The first section discusses the introductory aspect of the information security policy while the second section presents the information security policy criterion which outlines how the company will go about guarantee the security of its information systems as well as the use of its technology equipment and services.
Information Security Policy for Kruger Exporters
With the increased use of technology, organizations are left with no choice but to work hard in ensuring that the use of technology in information management is secure and very reliable.
To accomplish this, a well thought out information security policy is of paramount importance. Without an effective information security policy in place, organizations will be faced with a tough responsibility of controlling the use of its information systems and other technology services.
More importantly, a working information security policy system will enable an organization to retain its customers and make good use of its information technology services. If the growth of Kruger Exporters ecommerce transactions is to be reinforced, it is obvious, that security of these transactions must be dealt with effectively.
Considering that Kruger Exporters is a global organization with branches and customers located in different continents, much of its business transactions take place through the Internet.
As such, the company is certainly faced with numerous challenges having to do with how to secure its ecommerce transactions besides ensuring that its information technology equipment and services are not abused by anyone.
As the Chief Information Officer at Kruger Exporters, I present the following security policy that will be useful to ensure that the company meets its information technology requirements. As stated earlier, this is given in two separate sections.
Policy Introduction
Document Information
Generally, the use of technology presents serious challenges to organizations that are embracing its usage in its operations. Since its inception in the 1970s, for example, the Internet has exhibited vulnerabilities in its underlying communications network and nodes, protocols, network administration and host systems.
Ordinarily, these vulnerabilities have often been located in the security mechanisms of the hosts, example being the ability to obtain unauthorized privileged access, and the ability to gain unauthorized access to passwords.
In addition, commercial usage of the Internet has introduced new threats such as interception of data in transit by competitors or criminals. Hackers, competitors, disgruntled employees and former employees have been exploiting Internet vulnerabilities to meet their own selfish ambitions.
Due to these developments, organizations have been forced to acknowledge the changed nature of the Internet environment from being friendly to being competitive and hostile. Given that Kruger Exporters conducts most of its business through the Internet, security is critical especially if the company is to gain the confidence of its distinguished customers.
Apparently, there is now also increasing alarm within Kruger Exporters over threats emanating from its own trusted employees. For example, an employee can send information over the Internet to a global audience, yet falsely presenting himself or herself as a spokesperson for the company.
In other words, Kruger Exporters is not only vulnerable to Internet threats from outside its boundaries, but it also presents a threat to other Internet participants.
This security policy document will provide a clear statement of the information security policy, and this must be communicated to all users as well as any other relevant parties.
The policy will be placed in a file and will be available to all users at all times. Moreover, it will be communicated to the users as part of providing access to the systems within the company.
In generating Kruger Exporters information security policy regarding the use of its technology related services, at least seven key areas must be addressed.
These seven areas may be regarded as sub policies within the information security policy and include the organization’s technology acceptable usage policy, employee acceptable usage policy, Internet acceptable usage policy, Internet information protection policy, Internet information publication policy, Internet information access policy, and Internet employee privacy policy.
Typically, these sub policies provide a strong guide for the access and use of the technology equipment as well as Internet services offered by Kruger Exporters.
Audience
Considering the type of business that Kruger Exporters is involved in, this document is intended for the company’s staff who are scattered across different continents.
However, it is important to note that Kruger Exporters also interacts with many other people within and outside the company in order to get certain things done. Among them are third party service providers and regulatory bodies. The audience thus goes beyond staff in the company.
Ideally, this security policy will make employees at Kruger Exporters responsible and accountable for understanding and following information security rules, policies for ensuring that employees use available mechanisms to protect their systems, and site specific policies.
Purpose
As earlier explained, the challenges that may be faced by Kruger Exporters demand a well designed solution in the form of an information security policy embedded with procedures and mechanism of handling security related issues.
This information security policy and associated procedures will convey security guidance and rules to be used by all staff at Kruger Exporters as far as access and usage of Internet and other technology related services in the company is concerned.
Scope
As noted earlier, this information security policy will cover staff and any other third party individuals and organizations that interact with Kruger Exporters in the course of carrying out its business.
However, despite the fact that others may be covered by this information security policy, Kruger Exporters’ staff at the different locations are the major users of the company’s technology services, especially the Internet, and are, therefore, the main target of this information security policy.
Policy Criteria
Objectives
This information security policy criterion is meant to ensure that all staff members at Kruger Exporters, regardless of where they are, have a reliable and well maintained information security policy which serves as a guide on how to using the company’s systems and information technology services in such a way that security is not compromised.
When staff members have an understanding of the implications of not following the set guidelines, they are more likely to follow them without making excuses.
Although not following a policy may have no major effect on the business processes of Kruger Exporters, the need to have an effective information security policy in place is very important and can not be underestimated if Kruger Exporters is to secure it operations and remain competitive (Artiges, 2004).
The Chief Information Officer at Kruger Exporters will identify some members of his or her information technology department to assist other users in ensuring that information security policy is properly followed. In addition, others will be given the authority to enforce the use of the policy.
Compliances
All staff at Kruger Exporters will be required to comply with all the guidelines put in place by the Chief Information Officer. Failure to comply will certainly call for tough disciplinary measures against the offenders. The guidelines are, therefore, necessary in order to get every user doing what the institution expects of him or her.
Responsibilities
The main responsibility of ensuring that every user abides by the set rules and regulations lies with the Chief Information Officer. However, the CIO may select members of his or her information technology department to assist with the implementation.
Where necessary, the CIO will get the support of the top management to ensure that set guidelines are followed and that every user is fully aware of what they need to do as far as security issues are concerned.
Despite the fact that the CIO and his team have the responsibility to train all users and make sure that they understand what has to be done, it is also the responsibility of the individual users to learn and ensure that they understand the institution’s expectations on them.
Implementation
The following is the criteria to be followed by Kruger Exporters to guarantee paramount security for its information and use of technology services within the institution.
Considering the type of services that may be useful to staff at Kruger Exporters, two things must be addressed by the information security policy. First, there is the implementation and management of a firewall and secondly, there is the use of digital certificates. These are explained as follows.
Firewall Implementation and Management
Firewalls are a very critical security asset that may be used by Kruger Exporters to protect its information resources (Plotkin, Wells & Wimmer, 2003).
It is vital that all firewalls be configured, implemented, and maintained in a standardized and secure manner. In response to the risk discussed previously, this subsection describes Kruger Exporters’ official policy regarding the implementation and management of a firewall.
Configuration and Implementation
Among the most critical configuration and implementation considerations for Kruger Exporters are:
Operating System
Before a firewall can be implemented on an operating system, the operating system must be fully secured and tested in accordance with the regulations determined by the Chief Information Officer. Kruger Exporters’ Operating Systems Standards should be consulted for direction.
Responsibility
Before implementation, an administrator must be identified as responsible for the firewall. The administrator should be fully responsible for maintaining both the firewall software and the underlying operating system.
The administrator may select up to two other individuals to assist in maintaining the firewall. However, these individuals must be approved by the Chief Information Officer.
Access
Only the administrator and his or her approved assistant or assistants may access the firewall and operating system. Only the firewall administrators may have administrative access to the operating system and firewall software.
Default Rule
All of Kruger Exporters’ firewalls are based on this premise. That which is not expressly permitted is, therefore, denied.
Maintenance
Two important considerations under maintenance are logs and the rules that accompany how these logs will be handled.
Logs
The firewall administrator is responsible for ensuring the daily review and archiving of firewall logs.
Rules
It is only the firewall administrator who is authorized to make any changes on how the firewall is to be administered. All requests must, therefore, be forwarded to the firewall administrator and be approved by the Chief Information Officer prior to the enactment of any changes.
Use of Digital Certificates
Generally, digital certificates are issued by Certificate Authorities and are used to authenticate users and ensure that only the right people gain access to information across the company.
It is, however, important to understand that technologies themselves have never solved any problems. People must know where, when, and how to use them in the context of solving their security needs.
As a major requirement, the Chief Information Officer must ensure that a company wide directive on the use of digital certificates is present and followed properly. Proper implementation of this policy will ensure that any person using digital certificates does so by following the guidelines outlined by Kruger Exporters’ Chief Information Officer.
Controls
In generally, controls, safeguards, and counter measures are terms that are used for security mechanisms, policies, and procedures. These mechanisms, policies, and procedures counter attacks, reduce risks, resolve vulnerabilities, and otherwise improve the general state of information systems security within the organization (Cade &Roberts, 2002).
In the case of Kruger Exporters three general categories of controls may be implemented. These are controls for policies, programs, and technologies. Policies are documents that specify Kruger Exporters approach to security. Four types of security policies will be put in place.
They include general security policies, program security policies, issue specific policies, and system specific policies. The general security policy is an executive level document that outlines the company’s approach and attitude toward information security and clearly states the strategic value of information security within the company.
This document will be created by the Chief Information Officer in conjunction with the Chief Executive Officer and will set the tone for all subsequent security activities. The program security policy is a planning document that outlines the whole process of implementing security in the company.
This policy is the blue print for the analysis, design and implementation of security. Issue specific policies will address the specific implementations or applications of which users should be aware.
These policies are typically developed to provide detailed instructions and restrictions associated with security issues. To be covered in this category are policies for Internet use, email, and access to buildings.
Finally, system specific policies will address the particular use of certain systems. These will include firewall configuration policies, system access policies, and other technical consideration areas.
Different parts of the information security policy will be reinforced by among other, the Chief Information Officer, the system administrators, and the institution’s op management.
Third party organizations will also be involved where necessary. For example, the use of digital certificates will require the cooperation of Certificate Authorities. Internet Services Providers will also be involved to ensure that security policy is not compromised.
Table 1 presents a summary of some of the components of Kruger Exporters’ information security policy document.
Table 1: Information Security Policy Components
Conclusion
Information security is now every company’s concern. The way we live and do business is underwritten by information system infrastructures, with the Internet usage being the most foundational of them. Spoken plainly, information security today protects the ability of an organization to function.
In spite of the fact that the use of technology related services has come with numerous benefits to both individuals and organizations, this has been accompanied with several challenges that must be addressed to ensure profitable use.
In order to deal with such challenges, it is essential for any organization to have a strong information security policy in place that will caution it and its employees against the abuse and improper use of technology services.
This paper has proposed an information security policy that should be used by Kruger Exporters to meet the above objective. This information security policy provides guidance to all staff at Kruger Exporters regarding the use of Internet and other technology related services offered by the company.
Beyond doubt, an effective information security policy document is of great importance and must, therefore, be a well thought out and designed document.
References
Artiges, M. (2004). Bea Weblogic Server 8.1: Unleashed. USA: Sams Publishing.
Cade, M., & Roberts, S. (2002). Sun Certified Enterprise Architect for J2ee Technology: Study Guide. California: Prentice Hall Professional.
Plotkin, M. E., Wells, B., & Wimmer, K. A. (2003). Ecommerce Law & Business. New York, NY: Aspen Publishers Online.
Whitman, M. E., & Mattord, H. J. (2010). Management of Information Security. Boston, MA: Cengage Learning.