Information security is all about keeping corporate information safe. Policies address the requirement to protect information from disclosure, unauthorized access, loss, corruption and interference and are relevant to information in both electronic and physical formats.
As we had seen in a previous post, information security can be defined by three things:
- Confidentiality – information must not be made available or disclosed to unauthorized individuals, entities, or processes
- Integrity – data must not be altered or destroyed in an unauthorised manner, and accuracy and consistency must be preserved regardless of changes
- Availability – information must be accessible and useable on demand by authorised entities
Documented Policies and procedures take the guess work out of information security and enable an organisation to manage business risk through defined controls that provide a benchmark for audit and corrective action.
Without documented policies and procedures each and every employee and contractor will act in accordance with their own perception of acceptable use and system management will be ad-hoc and inconsistent. Staff will be unaware whether they are acting within the organisation’s risk appetite or not.
Security attacks against organisations are increasing both in number and sophistication and we must ensure our systems can be protected against these threats. The first step in achieving this is to document the rules and guidelines around system management, operation and use. By complying with these rules and guidelines organisations are doing everything they can to protect their systems and their people from a security threat.
In closing, it is important to also recognize that effective information security policies protect the staff as much as the organisation.