Information Security Policy for Saudi IT Organization: A Review

Verified

Added on 2023/01/20

AI Summary

This report presents an information security policy designed for a Saudi Information Technology organization. It details crucial elements such as backup procedures, including the frequency, method (Symantec), storage location, retention duration (six months), and restoration testing. The policy emphasizes the importance of backing up data from servers, firewalls, email servers, and other critical systems. It also covers data retention, including the removal of duplicate data and specific guidelines for encrypted data. Furthermore, the report addresses security awareness and training policies, highlighting the need for initial and continuous training for all employees, including topics like identification, reporting, and prevention of security incidents. The report concludes by emphasizing the importance of security policies in establishing organizational expectations and ensuring data protection, which is a perfect example of ideal security policy. This policy is designed to improve organizational performance.

Running head: INFORMATION SECURITY POLICY
Information Security Policy
Name of the Student
Name of the University
Author Note

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

1INFORMATION SECURITY POLICY
Table of Contents
Introduction:...............................................................................................................................2
Information Security Policy for Backup:...................................................................................2
Detailed Backup Policy:.........................................................................................................3
Security Awareness and Training Policies:................................................................................4
Detailed Awareness and Training Policy:..............................................................................4
Conclusion:................................................................................................................................5
References:.................................................................................................................................7

2INFORMATION SECURITY POLICY
Introduction:
The security policy is actually a written document within a particular organization
which describes how the organization will protect themselves from various kind of threats
and it also demonstrates how the organization can handle those situation in which the threat
regarding the organization occurs (Safa, Von Solms & Furnell, 2016). In case of information
technology related organization, the most common threat is the computer security threats
which one of the biggest issue in the IT industry. A good security policy is able to identify all
the important assets of the organization and is able to keep those assets from potential threats.
For perfect utilization of the security policies, organization need to always update their
employees about the current security policy.
In this context a security policy will be described for the Saudi Information
Technology organization regarding information security. In this security process policies
regarding backup and polices regarding awareness and training will be discussed for the
Saudi Information Technology organization.
Information Security Policy for Backup:
Backup is very much important concept for almost every organization as this saves
organizations from the threat of data loss and also provides data recovery facility in the event
of system failure (Levitin et al., 2016). An organization can have various types of data assets
and it is not mandatory that all of those data assets are important for the organization. Thus it
is very much important to identify important data for the organizations. Common type of
important data are the financial reports, sales reports, customer database and some ongoing
project related data (Goetsch & Davis, 2014). With that the location of the backup storage is
also very much important and generally this location consists a separate place from the main
resources.
Detailed Backup Policy:
Important Data that will be Backed Up: All the stored data within the file servers, network
servers, database servers, firewalls, email servers, web servers, remote access servers and the
domain controllers are need to be backed up of the Saudi Information Technology. As all of
the data resides within the server of the organization is backed up, it is very much important
for the employees of the organization to ensure all the important data resides within their
workstation locally are moved to the server system (van den Broek & van Veenstra, 2015).
Otherwise the locally stored data will be not backed up.
Frequency of Backup Process: The backup process will run every day between 10:00 pm to
11:30 pm.
Method of Backup: The backup will be done through Symantec backup system.
Backup Storage location: The devices which will be storing all the backup must not be
residing in the office area, rather than it will be stored in a fireproof and waterproof location
(Zidar et al., 2016). Also a tight security facility must be maintained.
Duration of Backup Retention: All the backup must be retained by the organization for at
least six months of duration.
Data Restoration: Backed up data will be only resorted for the organizational requirements.
No data will be restored for personal purposes of the employees.

3INFORMATION SECURITY POLICY
Restoration Testing: The data restoration process will be checked once in a month for
ensuring all the systems are working perfectly (Zidar et al., 2016). Any changes occurred due
to the restoration testing will be reverted.
Data Retention: Only the data important for the organization and for their clients will be
retained. No data will be retained for the personal use of any employees of the organization.
Duplication of Data: All the duplicate data present in sever of organization must be removed
for optimizing the space utilization.
Encrypted Data Retention: Encrypted data contains very much sensitive information, thus
the policy for the encrypted data is different from the normal data restoration policy. Here the
encryption keys must be retained as long as the encrypted data is retained. Also, duration of
retaining the encrypted data is longer than the normal data. Encrypted data is retained for at
least one year by the organization.
Destruction of Data: Destruction of data is one of the critical policy in the policy of data
retention (Xiong et al., 2014). After a data is expired as per the policy of organization, the
data must be destroyed by the organization through proper analysis of the data. The data will
be destroyed after ensuring that the expired data is no longer required by the organization.
Security Awareness and Training Policies:
Security awareness and training policies is very much important for the organizations.
Thus in this aspect for proper regulation of the security awareness and training a perfect
policy in this area is very much important for the organization (Tsohou, Karyda & Kokolakis,
2015). This policy will include the management and the employees of the organization. It has
been assessed that lack of proper awareness and training among the employees can lead to
inability of reacting appropriately to the security related threats, thus it increases the chance
of placing sensitive information in danger. Also, it is very much important to ensure that the
all the employees are performing as per the instruction of the organization and in this case
policy plays an important role.
Detailed Awareness and Training Policy:
Initial Training: An initial training must be provided to all the full time employee and team
members so that new employees is able to cope up themselves with the organizational
requirements. Thus in this aspect training must be provided to the employees and the team
members regarding security policies and procedures of the organization. In addition training
must be also provided regarding identification, reporting and prevention of the potential
security incidents.
Continuous Training: The nature of training provided to the employees must be continuous
in nature. It means that the training program will be repeated periodically for all the
employees of organization (Cohen, 2017). The main aim of this particular policy is keeping
the employees up to date about the about new potential threats. The frequency and the nature
of this type of training vary as per the decision of organization.
Completion of Training: Every employees, including the old employees also, of the
organization must complete their training successfully for further operations in the
organization. Employees who are not completing the training successfully will be suspended
from the organizational operations until they completes their training process as per the
schedule.

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

4INFORMATION SECURITY POLICY
Frequency of Awareness and Training: Initial awareness and training programme of the
new employees must be started as soon as possible after they join organization. For the
periodic training default frequency is once in every six months. This frequency can be
adjusted by the organization any time as per the organizational needs.
Focal Point of Awareness and Training: In this case the main focal point of the awareness
and training programme will be the information security matters.
Conclusion:
From the above discussion it can be concluded that security policies is very much
important for the organizations as this establishes the expectations of a user or customer. The
security policy does not establishes by just itself on just specific requirement of the
organization instead of it the security policy acts as a bridge between the organizational
expectations and stated requirements. In this case the developed security policy clearly stated
the expectation of the organization from its employees which is a perfect example of ideal
security policy. Also, polices regarding the awareness and training has been developed in this
case which has discussed about the importance of training in the organizations. In the
discussion of polices regarding backup it has been understood how much important backup
process is for the organizations and also, proper method of organising daily backup method
of data has been assessed from the developed policy. Thus it is very much assured that these
developed policy will surely improve the organizational performance.

5INFORMATION SECURITY POLICY
References:
Cohen, E. (2017). Employee training and development. In CSR for HR (pp. 153-162).
Routledge.
Goetsch, D. L., & Davis, S. B. (2014). Quality management for organizational excellence.
Upper Saddle River, NJ: pearson.
Levitin, G., Xing, L., Zhai, Q., & Dai, Y. (2016). Optimization of full versus incremental
periodic backup policy. IEEE Transactions on Dependable and Secure
Computing, 13(6), 644-656.
Safa, N. S., Von Solms, R., & Furnell, S. (2016). Information security policy compliance
model in organizations. Computers & Security, 56, 70-82.
Tsohou, A., Karyda, M., & Kokolakis, S. (2015). Analyzing the role of cognitive and cultural
biases in the internalization of information security policies: recommendations for
information security awareness programs. Computers & security, 52, 128-141.
van den Broek, T. A., & van Veenstra, A. F. (2015, May). Modes of Governance in Inter-
Organizational Data Collaborations. In ECIS.
Xiong, J., Liu, X., Yao, Z., Ma, J., Li, Q., Geng, K., & Chen, P. S. (2014). A secure data self-
destructing scheme in cloud computing. IEEE Transactions on Cloud
Computing, 2(4), 448-458.
Zidar, M., Georgilakis, P. S., Hatziargyriou, N. D., Capuder, T., & Škrlec, D. (2016). Review
of energy storage allocation in power distribution networks: applications, methods
and future research. IET Generation, Transmission & Distribution, 10(3), 645-652.