Data Protection and Security |
||||||
I |
Introduction to Information Security |
|||||
I.III |
Security Management and Policies |
|||||
 |
||||||
Talking about security is meaningful only within an organizational context. As an extreme case, consider a small office and a military base. While you might think that your office is secure enough with a strong lock on the door, for the military base a lock can be only one of the hundred different measures employed together for security. Therefore before everything, we first need to identify assets and their values in our organization. The more valuable assets we have, the more critical security would be for us. Secondly, we should identify vulnerabilities, threats and risks to our assets. This is also an important issue because of the fact that there is no security measure which can protect against any attack possible. If your office is in the first floor, a lock in the door is not sufficient. You should also consider a possible intrusion from the windows and take necessary measures accordingly. Even for the military base, absolute security is not possible no matter how sophisticated your measures are and how much money you have spent. Security cost has to be justified with respect to risk it mitigates. This is not a one-time event but a continuing process as shown below. Third of all, you should also identify legal and contractual requirements. For instance, if you have insurance, before buying a lock or an alarm for the door it would be a good idea to read the insurance policy to learn their conditions of theft reimbursement. Answering the three questions discussed above would lead to a security policy document which defines exactly what security means for an organization. The security policy defines authorized and prohibited actions in the organization as well as clarifies general and specific responsibilities for the employees. Besides all these, the security policy also explains the security measures (prevention, detection or reaction type) used (implemented) against the threats. There should be also a detailed plan for training of employees with respect to security issues since it might be very difficult if not impossible to solve some of the security problems by only technical measures. It is preferable to have one single manager be in charge of enforcement, maintenance, review and evaluation of effectiveness of the security policy. For a precise definition of security policies, there are formal security policy models which can be automatically enforced within the organization. |
|
|||||
|
||||||
|
||||||
|
concepts » | |||||
)