Detailed Report on Information Security Policies and Acceptable Use
VerifiedAdded on 2020/03/07
|11
|2769
|62
Report
AI Summary
This report delves into the critical importance of information security policies for organizations, emphasizing the Acceptable Use Policy (AUP). It explores the development of effective security policies, including risk assessment, password policies, administrative responses, user responsibilities, email and internet guidelines, and disaster recovery mechanisms. The report highlights the necessity of confidentiality, integrity, and availability in securing information systems. It provides a detailed methodology for creating an AUP, including the steps involved in risk assessment, password policy design, administrative response, user responsibility definition, and email and internet policy development. The report recommends creating user awareness through education, changing user attitudes towards security, and implementing effective monitoring and evaluation systems to ensure information security. Additionally, it suggests developing different websites for different users to limit access to sensitive data and creating information security websites that are easy to navigate and understand. The conclusion reiterates the importance of security policies for any organization dealing with internet resources, emphasizing the shared responsibility of administrators, owners, creators, and users in securing information.
Information Security Policies 1.
SECURITY POLICIES: A REPORT ON INFORMATION ACCEPTABLE USE POLICY
Name
Course
Tutor
University
City/state
Date
SECURITY POLICIES: A REPORT ON INFORMATION ACCEPTABLE USE POLICY
Name
Course
Tutor
University
City/state
Date
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Information Security Policies 2.
Introduction
The development of effective security policies is very important to any organization. Different
types of information are stored in different information systems, and their relevance and value
are depended on the security of the information. Therefore is important that organizations
develop effective security policies aided to protect the information as well as the individuals
interacting with the information. An information technology security policy is, therefore, a well-
written strategy that identifies the rules and procedures for accessing, protecting and maintaining
an organizations network, information technology assets as well as resources (Siponen et al.
2014, p. 12). It is a company document that states the company plans aimed at protecting the
company physical assets as well as the information technology assets. This report seeks to help
us understand security policies and their purpose as well as the methodologies and processes
used by an organization in developing the policy guideline. A special focus will be laid to the
chosen acceptable use policy as our case security policy.
Literature review
Many corporate organizations, businesses or educational institution have embraced the adoption
and use of security policies in governing the access and usage of certain information. The
development of the Acceptable Use Policy has helped many organizations in stipulating the
constraints and user practices that they must agree to before accessing or getting access to a
certain corporate network or the internet (Herath et al. 2014, p. 67). According to information
technology, a security policy in the most case establishes what must be done by a user, an
administrator of a website, the owner or the creator of the website or internet to protect
information stored in their computer database (Safa et al. 2016, p. 45). The security policies are
Introduction
The development of effective security policies is very important to any organization. Different
types of information are stored in different information systems, and their relevance and value
are depended on the security of the information. Therefore is important that organizations
develop effective security policies aided to protect the information as well as the individuals
interacting with the information. An information technology security policy is, therefore, a well-
written strategy that identifies the rules and procedures for accessing, protecting and maintaining
an organizations network, information technology assets as well as resources (Siponen et al.
2014, p. 12). It is a company document that states the company plans aimed at protecting the
company physical assets as well as the information technology assets. This report seeks to help
us understand security policies and their purpose as well as the methodologies and processes
used by an organization in developing the policy guideline. A special focus will be laid to the
chosen acceptable use policy as our case security policy.
Literature review
Many corporate organizations, businesses or educational institution have embraced the adoption
and use of security policies in governing the access and usage of certain information. The
development of the Acceptable Use Policy has helped many organizations in stipulating the
constraints and user practices that they must agree to before accessing or getting access to a
certain corporate network or the internet (Herath et al. 2014, p. 67). According to information
technology, a security policy in the most case establishes what must be done by a user, an
administrator of a website, the owner or the creator of the website or internet to protect
information stored in their computer database (Safa et al. 2016, p. 45). The security policies are
Information Security Policies 3.
continuously upgraded or updated due to changes resulting from employee or technology
requirements. The security policies are designed to ensure that information in an organization,
business or any institution website is confidential, valuable and available in time of need without
any compromise or modification which distorts the information.
For information system to be termed as secure, then it must meet its objectives of confidentiality,
integrity, and availability which are termed as the characteristic elements of a secure system.
Security policies, therefore, ensure that confidentiality is achieved by allowing access to
information to only authorized persons or by ensuring that valuable information is only kept in
the hands of the intended persons (D'Arcy et al. 2014, p. 23). Its objective of integrity requires
that the system should maintain the value as well as the state of the information by protecting it
from modification while availability objective requires that the information and security should
always be available when they are needed.
The Acceptable use policy is, therefore, a security policy mostly used in many educational
facilities and in most corporate and business facilities which require that employees and students
must sign up an acceptable or legal use policy before being granted a network ID. In this case, an
Acceptable Use Policy is normally presented to the user when he signs up with an Internet
Service provider (ISP). The policy gives or provides certain guidelines which the user must
agree to and in most case guide or restrict the user from using the service as part of violating any
law or attempting to break the security system of any computer network (Sommestad et al.
2014). It also regulates or restricts the posting of commercial messages to unauthorized groups as
well as an attempt to send junk emails or spam to anyone. The security policy is therefore used to
establish what must be done by corporate business and educational institutions to the information
stored on their computers as well as business websites. The policy is also used to protect
continuously upgraded or updated due to changes resulting from employee or technology
requirements. The security policies are designed to ensure that information in an organization,
business or any institution website is confidential, valuable and available in time of need without
any compromise or modification which distorts the information.
For information system to be termed as secure, then it must meet its objectives of confidentiality,
integrity, and availability which are termed as the characteristic elements of a secure system.
Security policies, therefore, ensure that confidentiality is achieved by allowing access to
information to only authorized persons or by ensuring that valuable information is only kept in
the hands of the intended persons (D'Arcy et al. 2014, p. 23). Its objective of integrity requires
that the system should maintain the value as well as the state of the information by protecting it
from modification while availability objective requires that the information and security should
always be available when they are needed.
The Acceptable use policy is, therefore, a security policy mostly used in many educational
facilities and in most corporate and business facilities which require that employees and students
must sign up an acceptable or legal use policy before being granted a network ID. In this case, an
Acceptable Use Policy is normally presented to the user when he signs up with an Internet
Service provider (ISP). The policy gives or provides certain guidelines which the user must
agree to and in most case guide or restrict the user from using the service as part of violating any
law or attempting to break the security system of any computer network (Sommestad et al.
2014). It also regulates or restricts the posting of commercial messages to unauthorized groups as
well as an attempt to send junk emails or spam to anyone. The security policy is therefore used to
establish what must be done by corporate business and educational institutions to the information
stored on their computers as well as business websites. The policy is also used to protect
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
Information Security Policies 4.
individuals or people working or having access to the information since anyone who makes
decisions or takes action in any situation where the information is at risk is equally at risk
(Peltier, 2016). And therefore the security policy allows people to take necessary actions without
fear of reprisal and also compels the safeguarding of information by eliminating or reducing
personal liability for employees or users of the information. Regardless of the network used as to
whether the organizations, institutions or businesses use the Local Area Network (LAN) or even
the Wide Area Network (WAN), it is important that they develop effective security policies.
Therefore, the Acceptable Use Policy (AUP) forms an integral part of the framework of security
policies.
Methodology
To develop an effective security policy and in this case, an acceptable use policy, certain
guidelines, and steps are to be developed by the organization, company, business or an
educational institution. Such procedures include those of risk assessment, password policies
guidelines, organizational, administrative response, the user responsibilities, the e-mail
guidelines and policies, the internet guidelines, disaster recovery as well intrusion detection
policies.
Therefore the first step to developing an acceptable use policy is to conduct a risk assessment
with the organization, company, business or education institution which faces information risk
and is in need of security policies. Risk assessment is usually an ongoing process of discovery or
potential security risk, correcting them and preventing future problems (Neisse et al. 2014, p.
123). It is also an essential part of sound security practices and forms an important part of
compliance with security standards. Risk assessment helps the organization or business to
individuals or people working or having access to the information since anyone who makes
decisions or takes action in any situation where the information is at risk is equally at risk
(Peltier, 2016). And therefore the security policy allows people to take necessary actions without
fear of reprisal and also compels the safeguarding of information by eliminating or reducing
personal liability for employees or users of the information. Regardless of the network used as to
whether the organizations, institutions or businesses use the Local Area Network (LAN) or even
the Wide Area Network (WAN), it is important that they develop effective security policies.
Therefore, the Acceptable Use Policy (AUP) forms an integral part of the framework of security
policies.
Methodology
To develop an effective security policy and in this case, an acceptable use policy, certain
guidelines, and steps are to be developed by the organization, company, business or an
educational institution. Such procedures include those of risk assessment, password policies
guidelines, organizational, administrative response, the user responsibilities, the e-mail
guidelines and policies, the internet guidelines, disaster recovery as well intrusion detection
policies.
Therefore the first step to developing an acceptable use policy is to conduct a risk assessment
with the organization, company, business or education institution which faces information risk
and is in need of security policies. Risk assessment is usually an ongoing process of discovery or
potential security risk, correcting them and preventing future problems (Neisse et al. 2014, p.
123). It is also an essential part of sound security practices and forms an important part of
compliance with security standards. Risk assessment helps the organization or business to
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Information Security Policies 5.
determine the level acceptable level of the risks as well the resulting security requirements for
each identified risk, and it involves system risk documentation, determination, and safeguarding.
The second guideline provided in the development of the acceptable use policy is the
development of password or designing the organizational password policy. Passwords have been
found to be very important aspects of computer information security whereby a poorly chosen
password may result in unauthorized access or exploitation of the company resources (Neisse et
al. 2014). Organization needs develop effective password policy to govern the authorization of
access to company or organizational information. Such password policies include the regulating
of sharing of the password which requires that for information technology security passwords
should not be shared and should always be treated as sensitive and confidential and therefore
should not be shared through websites or any link which may pose a risk to the information or
data related to the company or organization.
The administrative response is also very important in developing an effective security policy, it
is, therefore, important for the information technology experts involved in designing and
development of the security policies to inform the administrative personnel of the organization.
They will then help in providing measures or developing the action and against the users going
against or caught violating the security policies. Their response ensures that the policy is agreed
upon by the management and administrative departments of the system. They also give more
recommendations on what should be done to enhance data or information security with their
organization from their experience.
The other important step to the development of effective security policy is helping to make the
users understand their responsibilities when using the information system. This is important
determine the level acceptable level of the risks as well the resulting security requirements for
each identified risk, and it involves system risk documentation, determination, and safeguarding.
The second guideline provided in the development of the acceptable use policy is the
development of password or designing the organizational password policy. Passwords have been
found to be very important aspects of computer information security whereby a poorly chosen
password may result in unauthorized access or exploitation of the company resources (Neisse et
al. 2014). Organization needs develop effective password policy to govern the authorization of
access to company or organizational information. Such password policies include the regulating
of sharing of the password which requires that for information technology security passwords
should not be shared and should always be treated as sensitive and confidential and therefore
should not be shared through websites or any link which may pose a risk to the information or
data related to the company or organization.
The administrative response is also very important in developing an effective security policy, it
is, therefore, important for the information technology experts involved in designing and
development of the security policies to inform the administrative personnel of the organization.
They will then help in providing measures or developing the action and against the users going
against or caught violating the security policies. Their response ensures that the policy is agreed
upon by the management and administrative departments of the system. They also give more
recommendations on what should be done to enhance data or information security with their
organization from their experience.
The other important step to the development of effective security policy is helping to make the
users understand their responsibilities when using the information system. This is important
Information Security Policies 6.
because most networks today are faced with conflicting goals of availability, security, and
scalability (Webb et al. 2014, p. 90). In this case, most users are only concerned with the
availability of the information, and they need, or concern is to use the tools to undertake certain
tasks. In most cases, most users tend to defeat the information security procedures or guidelines
when they perceive them as been an interference or obstacle to their workflow (Ulusoy et al.
2015, p. 453). It is therefore important for the organization or businesses to build user awareness
programs to issues relating to information security by clearly defining their security objectives to
the users, by identifying their user groups for effective security control as well as presenting their
security policies to the users.
Since most organizations use emails to perform most of their communication, it is important
also to develop email and internet policies governing the same. This is because most of the
information may be sent as spam or may be modified to distort the intended message. Such
policies govern the domains of the company emails and can even give a specification of the size
or content of the message or email. Such ensures that business emails are not used for personal
purposes, but their use is only limited and restricted to official office use only. In such case, if
anyone caught defeating such policies then appropriate administrative measures can be adopted
(Arpaci et al. 2015). Internet policies relating to the computing facilities should also be
developed to control the information risk in either a general network security, network security
or server security.
Lastly, it’s the development of disaster or data recovery systems including back up files as well
as system restore and also security mechanisms for intrusion detection. The backup and restore
networks are very important to the continuity of a business and therefore their environments
must be secured. As much as the backing up of data is necessary it is not always sufficient as
because most networks today are faced with conflicting goals of availability, security, and
scalability (Webb et al. 2014, p. 90). In this case, most users are only concerned with the
availability of the information, and they need, or concern is to use the tools to undertake certain
tasks. In most cases, most users tend to defeat the information security procedures or guidelines
when they perceive them as been an interference or obstacle to their workflow (Ulusoy et al.
2015, p. 453). It is therefore important for the organization or businesses to build user awareness
programs to issues relating to information security by clearly defining their security objectives to
the users, by identifying their user groups for effective security control as well as presenting their
security policies to the users.
Since most organizations use emails to perform most of their communication, it is important
also to develop email and internet policies governing the same. This is because most of the
information may be sent as spam or may be modified to distort the intended message. Such
policies govern the domains of the company emails and can even give a specification of the size
or content of the message or email. Such ensures that business emails are not used for personal
purposes, but their use is only limited and restricted to official office use only. In such case, if
anyone caught defeating such policies then appropriate administrative measures can be adopted
(Arpaci et al. 2015). Internet policies relating to the computing facilities should also be
developed to control the information risk in either a general network security, network security
or server security.
Lastly, it’s the development of disaster or data recovery systems including back up files as well
as system restore and also security mechanisms for intrusion detection. The backup and restore
networks are very important to the continuity of a business and therefore their environments
must be secured. As much as the backing up of data is necessary it is not always sufficient as
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
Information Security Policies 7.
long their backup environment is not secured (Ahmad et al. 2014). Organizations and businesses,
therefore, must ensure their computing facilities are equipped or installed with backup and
restore networks which are secured by implementing appropriate technologies in the backup
storage devices as well as implement an appliance that can encrypt data at some point in the
storage network. Such steps and guidelines will lead to the development of effective, acceptable
use security policy that can be helpful to many organizations, businesses as well as educational
institutions.
Recommendations and Conclusion
From the findings above related to the development of acceptable use security policy for
organizations, business, or education facilities it is recommended that the organization should
first create user awareness through education on the importance of information security. It will
provide them with the knowledge as some of the users of such information do not know the
importance of the security measures imposed and whether they are any legal actions if anyone
found violating or experiences a risk related to the certain information. Since most employees in
business access the internets and business websites to perform their given tasks, the
organizations should try to change the attitude of the users towards the realization of their role in
company security (DeHaan et al. 2015). It is equally important that the employees understand
that the business needs them as they need it to and therefore issues of security should be a
collective initiative of both parties.
The risk to information has also been encountered due to lack of effective monitoring and
evaluation. It is therefore recommended that the website operators and managers should always
try to ask for feedback from the users about their experience when using certain websites or
long their backup environment is not secured (Ahmad et al. 2014). Organizations and businesses,
therefore, must ensure their computing facilities are equipped or installed with backup and
restore networks which are secured by implementing appropriate technologies in the backup
storage devices as well as implement an appliance that can encrypt data at some point in the
storage network. Such steps and guidelines will lead to the development of effective, acceptable
use security policy that can be helpful to many organizations, businesses as well as educational
institutions.
Recommendations and Conclusion
From the findings above related to the development of acceptable use security policy for
organizations, business, or education facilities it is recommended that the organization should
first create user awareness through education on the importance of information security. It will
provide them with the knowledge as some of the users of such information do not know the
importance of the security measures imposed and whether they are any legal actions if anyone
found violating or experiences a risk related to the certain information. Since most employees in
business access the internets and business websites to perform their given tasks, the
organizations should try to change the attitude of the users towards the realization of their role in
company security (DeHaan et al. 2015). It is equally important that the employees understand
that the business needs them as they need it to and therefore issues of security should be a
collective initiative of both parties.
The risk to information has also been encountered due to lack of effective monitoring and
evaluation. It is therefore recommended that the website operators and managers should always
try to ask for feedback from the users about their experience when using certain websites or
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Information Security Policies 8.
internet sources and monitor their progress as they continue to use them. Some end up
performing task-irrelevant and others which cannot be supported by certain systems and hence
may lead to crackdown or loss of important data. In the case where the companies have some
sensitive information which cannot be relayed to the public than the organizations are
recommended to develop different websites for different users to limit access to sensitive data
(Muthalagu 2016). It is also recommended that the companies develop information security
website where users can start familiarizing themselves with the internet security issues which
should be clear to understand as well as easy for the users to browse and navigate.
In conclusion, security policies are therefore important for any organization dealing with internet
resources and assets. The security of internet information is the responsibility of the
administrators, owners or creators or websites as well as the users of the internet resources. For
the systems to be secured the most important policy to be adopted is, therefore, the acceptable
use security policy as it guides and regulates the initial access to the internet. It's effective
development and implementation will play a very important role in the overall security of other
internet related risks.
internet sources and monitor their progress as they continue to use them. Some end up
performing task-irrelevant and others which cannot be supported by certain systems and hence
may lead to crackdown or loss of important data. In the case where the companies have some
sensitive information which cannot be relayed to the public than the organizations are
recommended to develop different websites for different users to limit access to sensitive data
(Muthalagu 2016). It is also recommended that the companies develop information security
website where users can start familiarizing themselves with the internet security issues which
should be clear to understand as well as easy for the users to browse and navigate.
In conclusion, security policies are therefore important for any organization dealing with internet
resources and assets. The security of internet information is the responsibility of the
administrators, owners or creators or websites as well as the users of the internet resources. For
the systems to be secured the most important policy to be adopted is, therefore, the acceptable
use security policy as it guides and regulates the initial access to the internet. It's effective
development and implementation will play a very important role in the overall security of other
internet related risks.
Information Security Policies 9.
List of References
Ahmad, A., Maynard, S.B. and Park, S., 2014. Information security strategies: towards an
organizational multi-strategy perspective. Journal of Intelligent Manufacturing, 25(2), pp.357-
370.
Arpaci, I., Kilicer, K. and Bardakci, S., 2015. Effects of security and privacy concerns on
educational use of cloud services.Computers in Human Behavior, 45, pp. 93-98.
D'Arcy, J., Herath, T. and Shoss, M.K., 2014. Understanding employee responses to stressful
information security requirements: a coping perspective. Journal of Management Information
Systems, 31(2), pp.285-318.
DeHaan, M.P., Likins, A.K. and Vidal, S.K., Red Hat, Inc., 2015.Discovery of network software
relationships.U.S. Patent 8,990,368.
Herath, T., Chen, R., Wang, J., Banjara, K., Wilbur, J. and Rao, H.R., 2014. Security services as
coping mechanisms: an investigation into user intention to adopt an email authentication service.
Information systems journal, 24(1), pp.61-84.
Hsu, J.S.C., Shih, S.P., Hung, Y.W. and Lowry, P.B., 2015. The role of extra-role behaviors and
social controls in information security policy effectiveness. Information Systems Research,
26(2), pp.282-300.
Muthalagu, I., 2016. PLM (Product Lifecycle Management) System Administrator Process for
Document Management System (DMS) in Energy Devices Domain.
List of References
Ahmad, A., Maynard, S.B. and Park, S., 2014. Information security strategies: towards an
organizational multi-strategy perspective. Journal of Intelligent Manufacturing, 25(2), pp.357-
370.
Arpaci, I., Kilicer, K. and Bardakci, S., 2015. Effects of security and privacy concerns on
educational use of cloud services.Computers in Human Behavior, 45, pp. 93-98.
D'Arcy, J., Herath, T. and Shoss, M.K., 2014. Understanding employee responses to stressful
information security requirements: a coping perspective. Journal of Management Information
Systems, 31(2), pp.285-318.
DeHaan, M.P., Likins, A.K. and Vidal, S.K., Red Hat, Inc., 2015.Discovery of network software
relationships.U.S. Patent 8,990,368.
Herath, T., Chen, R., Wang, J., Banjara, K., Wilbur, J. and Rao, H.R., 2014. Security services as
coping mechanisms: an investigation into user intention to adopt an email authentication service.
Information systems journal, 24(1), pp.61-84.
Hsu, J.S.C., Shih, S.P., Hung, Y.W. and Lowry, P.B., 2015. The role of extra-role behaviors and
social controls in information security policy effectiveness. Information Systems Research,
26(2), pp.282-300.
Muthalagu, I., 2016. PLM (Product Lifecycle Management) System Administrator Process for
Document Management System (DMS) in Energy Devices Domain.
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
Information Security Policies 10.
Neisse, R., Steri, G. and Baldini, G., 2014, October. Enforcement of security policy rules for the
internet of things. In Wireless and Mobile Computing, Networking and Communications
(WiMob), 2014 IEEE 10th International Conference on (pp. 165-172). IEEE.
Peltier, T.R., 2016. Information Security Policies, Procedures, and Standards: guidelines for
effective information security management. CRC Press.
Safa, N.S., Von Solms, R. and Furnell, S., 2016.Information security policy compliance model in
organizations. Computers & security, 56, pp.70-82.
Siponen, M., Mahmood, M.A. and Pahnila, S., 2014. Employees’ adherence to information
security policies: An exploratory field study. Information & management, 51(2), pp.217-224.
Sommestad, T., Hallberg, J., Lundholm, K. and Bengtsson, J., 2014. Variables influencing
information security policy compliance: a systematic review of quantitative studies. Information
Management & Computer Security, 22(1), pp.42-75.
Ulusoy, H., Colombo, P., Ferrari, E., Kantarcioglu, M. and Pattuk, E., 2015, April.GuardMR:
fine-grained security policy enforcement for MapReduce systems. In Proceedings of the 10th
ACM Symposium on Information, Computer and Communications Security (pp. 285-296).ACM.
Webb, J., Ahmad, A., Maynard, S.B. and Shanks, G., 2014. A situation awareness model for
information security risk management.Computers & security, 44, pp.1-15.
Neisse, R., Steri, G. and Baldini, G., 2014, October. Enforcement of security policy rules for the
internet of things. In Wireless and Mobile Computing, Networking and Communications
(WiMob), 2014 IEEE 10th International Conference on (pp. 165-172). IEEE.
Peltier, T.R., 2016. Information Security Policies, Procedures, and Standards: guidelines for
effective information security management. CRC Press.
Safa, N.S., Von Solms, R. and Furnell, S., 2016.Information security policy compliance model in
organizations. Computers & security, 56, pp.70-82.
Siponen, M., Mahmood, M.A. and Pahnila, S., 2014. Employees’ adherence to information
security policies: An exploratory field study. Information & management, 51(2), pp.217-224.
Sommestad, T., Hallberg, J., Lundholm, K. and Bengtsson, J., 2014. Variables influencing
information security policy compliance: a systematic review of quantitative studies. Information
Management & Computer Security, 22(1), pp.42-75.
Ulusoy, H., Colombo, P., Ferrari, E., Kantarcioglu, M. and Pattuk, E., 2015, April.GuardMR:
fine-grained security policy enforcement for MapReduce systems. In Proceedings of the 10th
ACM Symposium on Information, Computer and Communications Security (pp. 285-296).ACM.
Webb, J., Ahmad, A., Maynard, S.B. and Shanks, G., 2014. A situation awareness model for
information security risk management.Computers & security, 44, pp.1-15.
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Information Security Policies 11.
1 out of 11
