Security Policies

Security Policies

In Cybersecurity by Ian CarnaghanLeave a Comment

Bosworth et al (2009) stress the importance of formality that should be adopted when creating an ethics policy.  They emphasize that clear documentation, clear motivation, clear sanctions, and clear management support at every level, including the top, are all important pieces of an effective policy.  I work for a management consultancy firm in the Washington DC Metro area that works with many different types of government and commercial projects requiring different levels of security clearance and management of sensitive information.

An acceptable use policy would need to address access level restrictions in terms of both physical and virtual assets.  Physical access would involve access badges for appropriate sections of the facilities and specific key cards to gain access to government systems where needed.  The policy should enforce strict use of locking down laptop equipment, not leaving mobile equipment unattended such as company phones and tablets, and specific rules on travel with laptop equipment.  Virtual access or access to software specifically should address strict password policies, sharing of user credentials should be prohibited, vigilance in protecting personal user credentials, and appropriate locking of the operating system when not in use.  The acceptable use policy should also address unacceptable use such as illegal activities, hacking, probing systems or scanning, disabling virus protection or firewalls, installing unlicensed software to name a few.

An Internet policy should let the end users know that all activities are being monitored.  “In order to give staff members the feelings of autonomy and ownership, they need to know the rules.“  The policy should be very clear on what is acceptable and non-acceptable behavior online.  If there are specific rules for downloading of software, they should be clearly described in the policy.

References:

  1. Bosworth, S., Kabay, M.E., & Whyne, E. (2009).  Computer Security Handbook.  Volume 1.  Hoboken, NJ: John Wiley & Sons, Inc.
  2. Komando, K.  (2012).  Why you need a company policy on Internet use.  Microsoft Business.  Retrieved from: http://www.microsoft.com/business/en-us/resources/management/employee-relations/why-you-need-a-company-policy-on-internet-use.aspx?fbid=SOWHr6Z3mUe
Series Navigation<< Risks, Threats and VulnerabilitiesCost and Challenges with E-Government >>

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.