Detailed Report on Information Security Policy Guidelines (COIT20263)
VerifiedAdded on 2022/07/28
|14
|3084
|27
Report
AI Summary
This report delves into the design and implementation of an information security policy system, addressing the critical need for network protection in the face of increasing cyber threats. It begins with an introduction to information security, emphasizing the motivations behind network intrusions, including data theft, service disruption, and financial gain. The report then outlines a comprehensive approach to information security, encompassing risk analysis, policy development, system protection strategies such as password and virus protection, and the establishment of network use guidelines. It covers crucial aspects like software installation, internet threats, web browsing, email usage, and downloading protocols. The report also addresses policy enforcement, violation consequences, and the importance of regular policy revisions. The report concludes by emphasizing the need for proactive security measures and continuous monitoring to safeguard organizational information assets.
Information security management 1
Information security management: information security policy
Student’s name
Course
Name of the professor
Date
Information security management: information security policy
Student’s name
Course
Name of the professor
Date
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Information security management 2
Executive summary
This report is discussing the operations and considerations that are undertaken in the
designing of a suitable information security policy system. It starts by giving a brief introduction
to information security, the reasons for protection, and the consequences that an organization can
face if the protection is not done. The body consists of the discussions of all steps that are
involved in the designing and implementation of the information security system.
Executive summary
This report is discussing the operations and considerations that are undertaken in the
designing of a suitable information security policy system. It starts by giving a brief introduction
to information security, the reasons for protection, and the consequences that an organization can
face if the protection is not done. The body consists of the discussions of all steps that are
involved in the designing and implementation of the information security system.
Information security management 3
Contents
Introduction......................................................................................................................................4
Discussion........................................................................................................................................5
Risk analysis................................................................................................................................5
Information security development policy....................................................................................6
System protection.........................................................................................................................6
Virus protection........................................................................................................................7
Installation of software.............................................................................................................7
Internet threats..............................................................................................................................8
Web browsing...........................................................................................................................8
Use of email..............................................................................................................................8
Instant messaging software......................................................................................................8
Downloading............................................................................................................................9
Violation of the security policy.......................................................................................................9
Revising the policy........................................................................................................................10
Policy implementation...................................................................................................................10
Conclusion.....................................................................................................................................11
Bibliography..................................................................................................................................12
Contents
Introduction......................................................................................................................................4
Discussion........................................................................................................................................5
Risk analysis................................................................................................................................5
Information security development policy....................................................................................6
System protection.........................................................................................................................6
Virus protection........................................................................................................................7
Installation of software.............................................................................................................7
Internet threats..............................................................................................................................8
Web browsing...........................................................................................................................8
Use of email..............................................................................................................................8
Instant messaging software......................................................................................................8
Downloading............................................................................................................................9
Violation of the security policy.......................................................................................................9
Revising the policy........................................................................................................................10
Policy implementation...................................................................................................................10
Conclusion.....................................................................................................................................11
Bibliography..................................................................................................................................12
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
Information security management 4
Information security management policy
Introduction
Since the development of computer networks, there have been growths in the interest of
people who seek to exploit the networks. There before, the reasons to do such exploits were non-
malicious and for learning purposes. This has changed so much as many individuals, such as
hackers nowadays seek to break into computer networks for various reasons. Some of the
reasons people may want to intrude into a computer network include: firstly, many people may
want to steal and leak information about an organization’s customers, internal employees or even
personal data for this specific organization (Xu et al., 2014). There are times hackers get into the
network to steal information in order to impersonate someone and use it for something else such
as transferring money, taking loans in the cases of internet banking. On to the second reason,
some hackers get into an organization's computer networks just to disturb services and leave a
statement on the website to scare the organization on network security. These hackers may create
a lot of bots that overpower the server with traffic and may lead to a crash. In other cases, they
may infect a large network with malicious software with the ultimate effect of the whole
network. The last final reason here is the need for money. Some hackers are breaking into
computer networks and ask for money so that they may not leak or interfere with the entire
system (Soomro, Shah, & Ahmed, 2016). Whenever online or mobile banking is involved, they
divert transactions or use the opportunity to transfer money to other accounts they own.
In many cases, many organizations only rush into a reaction after their systems have been
damaged or information leaked. Because of the reasons outlined above and many more, there is
always a need to thoroughly protect the network for confidence in businesses, especially where
Information security management policy
Introduction
Since the development of computer networks, there have been growths in the interest of
people who seek to exploit the networks. There before, the reasons to do such exploits were non-
malicious and for learning purposes. This has changed so much as many individuals, such as
hackers nowadays seek to break into computer networks for various reasons. Some of the
reasons people may want to intrude into a computer network include: firstly, many people may
want to steal and leak information about an organization’s customers, internal employees or even
personal data for this specific organization (Xu et al., 2014). There are times hackers get into the
network to steal information in order to impersonate someone and use it for something else such
as transferring money, taking loans in the cases of internet banking. On to the second reason,
some hackers get into an organization's computer networks just to disturb services and leave a
statement on the website to scare the organization on network security. These hackers may create
a lot of bots that overpower the server with traffic and may lead to a crash. In other cases, they
may infect a large network with malicious software with the ultimate effect of the whole
network. The last final reason here is the need for money. Some hackers are breaking into
computer networks and ask for money so that they may not leak or interfere with the entire
system (Soomro, Shah, & Ahmed, 2016). Whenever online or mobile banking is involved, they
divert transactions or use the opportunity to transfer money to other accounts they own.
In many cases, many organizations only rush into a reaction after their systems have been
damaged or information leaked. Because of the reasons outlined above and many more, there is
always a need to thoroughly protect the network for confidence in businesses, especially where
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Information security management 5
information is very important, and there are online transactions. Some proactive security testing
should also be conducted regularly since hacking happens daily around the globe.
Discussion
Information security is a way of preventing unauthorized access to the computer network
that may lead to unaccepted use, modification, exposure, disruption, or destruction of an
organization’s information (Parsons et al., 2014). Within farmer 4 farmer cooperative society,
network security is needed to be able to keep the confidentiality of this organization. With the
implementation of a network security system, this organization's technology and information
assets will be protected, which is the ultimate aim of the network security system. There are
several things involved in the information security system.
Risk analysis
In every management system, assessment is always vital to be able to ascertain various
risks that may threaten the organization’s system. Essential information assets will be identified
at this stage with their uses and functionalities (Faris et al., 2014). This is basically identifying
what to protect, from whose access, and how the protection process is going to be conducted. For
this risk analysis to be conducted in an appropriate manner, the organization's operations must be
known. In the case of Famer 4 farmer cooperative society, there will be a database of farmers'
information and the clients' information. On top of this, there is confidential information for the
managing director for the data analyst and the logistics information. The interaction of various
departments and the clients in this organization must also be protected from unauthorized access
(Parsons et al., 2017). The eligible people to be able to access specific information from the
system are the employees of this organization whose access are also limited depending on the
duties and responsibilities. The other groups to access information here are the farmers and the
information is very important, and there are online transactions. Some proactive security testing
should also be conducted regularly since hacking happens daily around the globe.
Discussion
Information security is a way of preventing unauthorized access to the computer network
that may lead to unaccepted use, modification, exposure, disruption, or destruction of an
organization’s information (Parsons et al., 2014). Within farmer 4 farmer cooperative society,
network security is needed to be able to keep the confidentiality of this organization. With the
implementation of a network security system, this organization's technology and information
assets will be protected, which is the ultimate aim of the network security system. There are
several things involved in the information security system.
Risk analysis
In every management system, assessment is always vital to be able to ascertain various
risks that may threaten the organization’s system. Essential information assets will be identified
at this stage with their uses and functionalities (Faris et al., 2014). This is basically identifying
what to protect, from whose access, and how the protection process is going to be conducted. For
this risk analysis to be conducted in an appropriate manner, the organization's operations must be
known. In the case of Famer 4 farmer cooperative society, there will be a database of farmers'
information and the clients' information. On top of this, there is confidential information for the
managing director for the data analyst and the logistics information. The interaction of various
departments and the clients in this organization must also be protected from unauthorized access
(Parsons et al., 2017). The eligible people to be able to access specific information from the
system are the employees of this organization whose access are also limited depending on the
duties and responsibilities. The other groups to access information here are the farmers and the
Information security management 6
clients who are also placed under limited access to the information only directed to them.
Finally, the public will have to be placed under very minimal access to the information of this
organization. The public will access basic information like the role of the organization, directives
to the offices, and inquiry contacts.
The focus of this project will therefore be; firstly, the hardware which includes all the
servers, workstations, computers, communication lines, and removable discs such as floppies and
tapes. The second place of focus is the software. At this stage, an information security problem
that may arise due to software outdates, infrequent patches, and new software updates will be
assessed (D'Arcy, Herath & Shoss, 2014). Finally, the focus will be beefed up in personnel. At
this point, access is defined in terms of information sensitivity.
Information security development policy
At this stage, it will be appropriate to manage all the threats identified during the risk
analysis stage. Information security should start at the first stage of physical contact with either
an office computer or personal laptop. The policy should clearly define conditions and
requirements in accessing the organization’s information by any staff member.
System protection
System access is one way of primary protection. Considering this, Famer 4 farmer
cooperative information technology manager should organize and conduct an informative
meeting with all the departmental heads to do briefings of the needs to have system protection.
In the meeting, each department should be taught on some important benefits of having specific
passwords with more characters of at least eight in numbers; letters, numeric, and symbols mixed
together both in lowercase and uppercase. In this security awareness program, tips should be
clients who are also placed under limited access to the information only directed to them.
Finally, the public will have to be placed under very minimal access to the information of this
organization. The public will access basic information like the role of the organization, directives
to the offices, and inquiry contacts.
The focus of this project will therefore be; firstly, the hardware which includes all the
servers, workstations, computers, communication lines, and removable discs such as floppies and
tapes. The second place of focus is the software. At this stage, an information security problem
that may arise due to software outdates, infrequent patches, and new software updates will be
assessed (D'Arcy, Herath & Shoss, 2014). Finally, the focus will be beefed up in personnel. At
this point, access is defined in terms of information sensitivity.
Information security development policy
At this stage, it will be appropriate to manage all the threats identified during the risk
analysis stage. Information security should start at the first stage of physical contact with either
an office computer or personal laptop. The policy should clearly define conditions and
requirements in accessing the organization’s information by any staff member.
System protection
System access is one way of primary protection. Considering this, Famer 4 farmer
cooperative information technology manager should organize and conduct an informative
meeting with all the departmental heads to do briefings of the needs to have system protection.
In the meeting, each department should be taught on some important benefits of having specific
passwords with more characters of at least eight in numbers; letters, numeric, and symbols mixed
together both in lowercase and uppercase. In this security awareness program, tips should be
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
Information security management 7
shared with the finance manager on how to safeguard all accounting information with the
dangers that may arise in case there is no proper password.
Virus protection
There are a lot of malicious codes that need computers to be protected. Because of this,
the information should be given on how frequent the farmer 4 farmer's system should be scanned
for viruses by one specific person, the IT specialist and even encourage the organization to put in
place automatic scanning for all of its computers. Instructions on how to handle the live database
update and tip on how to protect computers against infection of malicious codes such as Trojan,
viruses and worms should be shared with the information technology department.
Installation of software
There is some malicious software which is dangerous for an organization's information.
Many hackers use such software to gain access to an organization's computer to launch any type
of they want to. On top of this, there is software from unknown sources which are dangerous to
computers and create threats to information security. There should be awareness created to the
entire Famer 4 farmer cooperative society management about all the security issues relating to
the software installation to be able to minimize risks of information destruction or leakages. With
this in mind, only the IT specialist should be allowed to do any software installations, upgrade,
or uninstallation.
System encryption should also be put in place with a specific person to conduct the
encryption and the procedure. Data backup is always a good practice to be done in an
organization since it provides a solution in the event the database is vandalized of when the
computer system is invaded by malware. The organization management should describe who to
conduct the backup and the frequency of backing up the data. Maintenances should be done by a
shared with the finance manager on how to safeguard all accounting information with the
dangers that may arise in case there is no proper password.
Virus protection
There are a lot of malicious codes that need computers to be protected. Because of this,
the information should be given on how frequent the farmer 4 farmer's system should be scanned
for viruses by one specific person, the IT specialist and even encourage the organization to put in
place automatic scanning for all of its computers. Instructions on how to handle the live database
update and tip on how to protect computers against infection of malicious codes such as Trojan,
viruses and worms should be shared with the information technology department.
Installation of software
There is some malicious software which is dangerous for an organization's information.
Many hackers use such software to gain access to an organization's computer to launch any type
of they want to. On top of this, there is software from unknown sources which are dangerous to
computers and create threats to information security. There should be awareness created to the
entire Famer 4 farmer cooperative society management about all the security issues relating to
the software installation to be able to minimize risks of information destruction or leakages. With
this in mind, only the IT specialist should be allowed to do any software installations, upgrade,
or uninstallation.
System encryption should also be put in place with a specific person to conduct the
encryption and the procedure. Data backup is always a good practice to be done in an
organization since it provides a solution in the event the database is vandalized of when the
computer system is invaded by malware. The organization management should describe who to
conduct the backup and the frequency of backing up the data. Maintenances should be done by a
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Information security management 8
trusted person or team mandated by the organization to minimize the incidences of breaching
physical information security. Network use policy document should describe much about the
people to report to in case of any mishandling or unauthorized handling of a source of the
organization’s information.
Internet threats
Within the internet, threats take advantages of the web browsing, use of email, instant
messaging software, and downloading or attachments to gain patch bots into the server to gain
access to various information (Chen, Ramamurthy & Wen, 2015). Employees can also leak some
of the organization’s information through the use of the internet.
Web browsing
Any information security policy should describe the areas within the organization that are
forbidden to staffs (Safa et al., 2015). Since not all areas will be prohibited, the policy should
provide all staffs with safer browsing tips and keep them alert that all their internet browsing is
monitored so as to create a warning to them.
Use of email
The information security policy should bring on board the acceptable use of email. It
should clearly talk of the dos and don’ts in the email system. For personal mailing purposes, the
policy should describe whether it is allowed or not. On top of this, the policy should also give a
brief illustration of the potential effect of using email as far as the spread of dangerous codes is
concerned.
Instant messaging software
There are risks associated with the use of instant messaging software. The information
security policy should be in a position to provide an explanation to the staff members on how
trusted person or team mandated by the organization to minimize the incidences of breaching
physical information security. Network use policy document should describe much about the
people to report to in case of any mishandling or unauthorized handling of a source of the
organization’s information.
Internet threats
Within the internet, threats take advantages of the web browsing, use of email, instant
messaging software, and downloading or attachments to gain patch bots into the server to gain
access to various information (Chen, Ramamurthy & Wen, 2015). Employees can also leak some
of the organization’s information through the use of the internet.
Web browsing
Any information security policy should describe the areas within the organization that are
forbidden to staffs (Safa et al., 2015). Since not all areas will be prohibited, the policy should
provide all staffs with safer browsing tips and keep them alert that all their internet browsing is
monitored so as to create a warning to them.
Use of email
The information security policy should bring on board the acceptable use of email. It
should clearly talk of the dos and don’ts in the email system. For personal mailing purposes, the
policy should describe whether it is allowed or not. On top of this, the policy should also give a
brief illustration of the potential effect of using email as far as the spread of dangerous codes is
concerned.
Instant messaging software
There are risks associated with the use of instant messaging software. The information
security policy should be in a position to provide an explanation to the staff members on how
Information security management 9
malicious people can get access, steal, corrupt, or modify the organization’s information (Burns
et al., 2017).
Downloading
The information security policy in this organization should state whether downloading is
allowed or prohibited. If it is allowed, the policy should describe some useful tips for sources and
ways of downloading (Jouini, Rabai, & Aissa, 2014). There should also be descriptions of good
practices for mail attachments within the organization. The policy should present an explanation
of the threats likely to cause harm to the system through downloads.
The information described above is necessary, and the staff will have to understand the
need for prohibitions and the impacts of the prohibited activities on the organization. In case
there is any information security problem, staff members will have some steps and procedure
described by the policy on how to go about it (D'Arcy, & Lowry, 2019). Sharing security
information among staff members, they will be in a position to understand the need for security
and safety activities that they should practice within the organization to keep the organization's
information secure.
Violation of the security policy
For the policy to be effective and serve its purpose, all the organization’s staff members
should be aware of the consequences of the security policy violation (Siponen, Mahmood, &
Pahnila, 2014). This kind of awareness will prevent staff members from exposing the
organization’s important information to the malicious access since within the policy; there are
punishments described (Flores, Antonsen, & Ekstedt, 2014). Some of the punishments security
malicious people can get access, steal, corrupt, or modify the organization’s information (Burns
et al., 2017).
Downloading
The information security policy in this organization should state whether downloading is
allowed or prohibited. If it is allowed, the policy should describe some useful tips for sources and
ways of downloading (Jouini, Rabai, & Aissa, 2014). There should also be descriptions of good
practices for mail attachments within the organization. The policy should present an explanation
of the threats likely to cause harm to the system through downloads.
The information described above is necessary, and the staff will have to understand the
need for prohibitions and the impacts of the prohibited activities on the organization. In case
there is any information security problem, staff members will have some steps and procedure
described by the policy on how to go about it (D'Arcy, & Lowry, 2019). Sharing security
information among staff members, they will be in a position to understand the need for security
and safety activities that they should practice within the organization to keep the organization's
information secure.
Violation of the security policy
For the policy to be effective and serve its purpose, all the organization’s staff members
should be aware of the consequences of the security policy violation (Siponen, Mahmood, &
Pahnila, 2014). This kind of awareness will prevent staff members from exposing the
organization’s important information to the malicious access since within the policy; there are
punishments described (Flores, Antonsen, & Ekstedt, 2014). Some of the punishments security
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
Information security management 10
policy describes can include limiting staff members in terms of information access until the day
they will show responsibilities in handling the organization's information. This policy can also
describe some circumstances when a staff member can be dismissed from the job or be sued for
violating the organizational security policy (Nasir, Arshah, & Hamid, 2018). Despite
punishments descriptions, the policy should describe some security basics to be undertaken since
most successful penetrations into organizations’ important information are caused either by little
human errors or due to misunderstanding of basic security procedures of a particular
organization.
Revising the policy
It is always a normal action to review several factors of the policy to ascertain the high
probability of lasting success. This will make sure that all the descriptions therein are
understandable to all the organization's staff members, precise and clear (Da Veiga, & Martins,
2015). For the policy to have lasting success, it should clearly describe the responsibility of all
the staff members, what is to be protected, and how to go about the operations to ensure the
information is protected.
Policy implementation
When the policy has been drafted, revised, and agreed upon, the implementation becomes
the following step. This is one hard stage in an organization since it involves coaching and
educating staff members to take secure actions in their operations to secure valuable information
(AlHogail, 2015). The policy document must be easily available to all members of the
organization’s staff with a copy in the internal network of this organization.
policy describes can include limiting staff members in terms of information access until the day
they will show responsibilities in handling the organization's information. This policy can also
describe some circumstances when a staff member can be dismissed from the job or be sued for
violating the organizational security policy (Nasir, Arshah, & Hamid, 2018). Despite
punishments descriptions, the policy should describe some security basics to be undertaken since
most successful penetrations into organizations’ important information are caused either by little
human errors or due to misunderstanding of basic security procedures of a particular
organization.
Revising the policy
It is always a normal action to review several factors of the policy to ascertain the high
probability of lasting success. This will make sure that all the descriptions therein are
understandable to all the organization's staff members, precise and clear (Da Veiga, & Martins,
2015). For the policy to have lasting success, it should clearly describe the responsibility of all
the staff members, what is to be protected, and how to go about the operations to ensure the
information is protected.
Policy implementation
When the policy has been drafted, revised, and agreed upon, the implementation becomes
the following step. This is one hard stage in an organization since it involves coaching and
educating staff members to take secure actions in their operations to secure valuable information
(AlHogail, 2015). The policy document must be easily available to all members of the
organization’s staff with a copy in the internal network of this organization.
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Information security management 11
Conclusion
Information is essential in any organization and must be protected. Efforts of protection
may fail if there are no regulations defined to be able to give guidance to all the staffs in the
organization. A soundly defined and precise policy will ensure a lot of protections are done to
the organization's important information. Good management will enable the formulation of this
policy to ensure no threats are imposed on the organization's information.
Conclusion
Information is essential in any organization and must be protected. Efforts of protection
may fail if there are no regulations defined to be able to give guidance to all the staffs in the
organization. A soundly defined and precise policy will ensure a lot of protections are done to
the organization's important information. Good management will enable the formulation of this
policy to ensure no threats are imposed on the organization's information.
Information security management 12
Bibliography
AlHogail, A., 2015. Design and validation of information security culture framework. Computers
in Human Behavior, 49, pp.567-575.
Burns, A.J., Posey, C., Roberts, T.L. and Lowry, P.B., 2017. Examining the relationship of
organizational insiders' psychological capital with information security threat and coping
appraisals. Computers in Human Behavior, 68, pp.190-209.
Chen, Y.A.N., Ramamurthy, KRAM and Wen, KW, 2015. Impacts of comprehensive
information security programs on information security culture. Journal of Computer
Information Systems, 55(3), pp.11-19.
Da Veiga, A. and Martins, N., 2015. Improving the information security culture through
monitoring and implementation actions illustrated through a case study. Computers &
Security, 49, pp.162-176.
D'Arcy, J. and Lowry, P.B., 2019. Cognitive‐affective drivers of employees' daily compliance
with information security policies: A multilevel, longitudinal study. Information Systems
Journal, 29(1), pp.43-69.
D'Arcy, J., Herath, T. and Shoss, M.K., 2014. Understanding employee responses to stressful
information security requirements: A coping perspective. Journal of management
information systems, 31(2), pp.285-318.
Faris, S., Ghazouani, M., Medromi, H. and Sayouti, A., 2014. Information security risk
Assessment—A practical approach with a mathematical formulation of risk. International
Journal of Computer Applications, 103(8), pp.36-42.
Bibliography
AlHogail, A., 2015. Design and validation of information security culture framework. Computers
in Human Behavior, 49, pp.567-575.
Burns, A.J., Posey, C., Roberts, T.L. and Lowry, P.B., 2017. Examining the relationship of
organizational insiders' psychological capital with information security threat and coping
appraisals. Computers in Human Behavior, 68, pp.190-209.
Chen, Y.A.N., Ramamurthy, KRAM and Wen, KW, 2015. Impacts of comprehensive
information security programs on information security culture. Journal of Computer
Information Systems, 55(3), pp.11-19.
Da Veiga, A. and Martins, N., 2015. Improving the information security culture through
monitoring and implementation actions illustrated through a case study. Computers &
Security, 49, pp.162-176.
D'Arcy, J. and Lowry, P.B., 2019. Cognitive‐affective drivers of employees' daily compliance
with information security policies: A multilevel, longitudinal study. Information Systems
Journal, 29(1), pp.43-69.
D'Arcy, J., Herath, T. and Shoss, M.K., 2014. Understanding employee responses to stressful
information security requirements: A coping perspective. Journal of management
information systems, 31(2), pp.285-318.
Faris, S., Ghazouani, M., Medromi, H. and Sayouti, A., 2014. Information security risk
Assessment—A practical approach with a mathematical formulation of risk. International
Journal of Computer Applications, 103(8), pp.36-42.
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
1 out of 14
Related Documents
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
Copyright © 2020–2025 A2Z Services. All Rights Reserved. Developed and managed by ZUCOL.