Data Security – Departmental Information Security Policy
Although for most companies drafting a central policy for Information Security really is enough.
However, there are some companies which require individual business units or departments to come out with their own departmental policies.
If such a case exists, it makes sense therefore to come out with one standard template for all departments to follow.
What should then be the format & how should it look like is something that is going to be discussed in this post.
First of all, the structure of the policy should go this way in my opinion:
Index
1. Central Policy
2. Departmental IT Policy
3. IT Emergency Procedure for the Department
The following IT Policy are valid for the department(s)__________.
The department heads are responsible for the planning, implementation and control of measures for data protection and information security in the department. All employees of the department should know the rules and are responsible within the scope of their duties for the proper and secure handling of confidential information.
Other categories include:
Permissible Hardware in the department.
Permissible Software in the department.
Departmental data classification, authorisation lists.
Office - Security.
Backup Strategy, Archiving Strategy
Emergency Procedures for the department
I have created a sample departmental policies if you are interested do drop me a email at certboy@gmail.com. I just need a small donation from you for my effort that’s all.
Related Tags: Data security, , Security Policy, Information security, Network Security
Tuesday, April 3, 2007
Sunday, April 1, 2007
Data Security - Information Security Policies
Data Security – IS regulations
Although there should be company-wide IT security regulations. Each business units should also modify their versions of security regulations based on business needs.
I will send you a copy of IT regulations if you can send me email at certboy@gmail.com to request for a copy.
Related Tags: data security, network security, information security, perimeter security
Although there should be company-wide IT security regulations. Each business units should also modify their versions of security regulations based on business needs.
I will send you a copy of IT regulations if you can send me email at certboy@gmail.com to request for a copy.
Related Tags: data security, network security, information security, perimeter security
Data Security - Information Security Documents
After the organizational network is established, it is important to establish what documentation to keep in each business units.
I would say that each business units should keep a documentation of IT regulations pertaining to his/her department follow by IT documentation like hardware / software assets lists , authorization documents like who can access which systems / folders in their departments and what kind of access.
Other important documents include Emergency documentation like proxies for key appointment holders, spare systems for critical function, virus outbreak escalation procedures can also be drafted as well.
I will dwell deeper into the individual documentation in my next posts.
Meantime, please give your comments if needed.
Related Tags: data security, network security, information security, perimeter security
I would say that each business units should keep a documentation of IT regulations pertaining to his/her department follow by IT documentation like hardware / software assets lists , authorization documents like who can access which systems / folders in their departments and what kind of access.
Other important documents include Emergency documentation like proxies for key appointment holders, spare systems for critical function, virus outbreak escalation procedures can also be drafted as well.
I will dwell deeper into the individual documentation in my next posts.
Meantime, please give your comments if needed.
Related Tags: data security, network security, information security, perimeter security
Tuesday, March 20, 2007
Data Security - Establish a network of data security personnel
To be successful in information security management. The initiatives need to be implemented from TOP managemen down to executives.
Ideally, a data security partner (DSP) need to be elected from every department so that the data security partners can be trained on all aspects of information security policies , procedures and standards.
The DSPs will then implement all policies, procedures and standards according to their business environment
Ideally, a data security partner (DSP) need to be elected from every department so that the data security partners can be trained on all aspects of information security policies , procedures and standards.
The DSPs will then implement all policies, procedures and standards according to their business environment
Data Security - Traceability
Traceability simply means able to track logs & events so as to detect who , why & how an attacker penetrates into a compromised system.
By reviewing logs & events one can also check for unauthorised attempts to login to a system
However, there is real challenge today to retain massive log files & yet made meaningful associations with the log files very now and then
It is a field to learn when it comes to log management. In fact , to decide what to log & what not to log becomes a science to be learnt over experience.
By reviewing logs & events one can also check for unauthorised attempts to login to a system
However, there is real challenge today to retain massive log files & yet made meaningful associations with the log files very now and then
It is a field to learn when it comes to log management. In fact , to decide what to log & what not to log becomes a science to be learnt over experience.
Monday, March 19, 2007
Data Security - Avaliability
Avaliability in data security means able to tolerate the loss of the data / information in instances of disaster.
Again we can divide avaliability into 3 classes :
Class 1 - Tolerance for loss of data / information for more than a week
Class 2 - Tolerance for loss of data/information for more than a day but less than a week
Class 3 - Tolerance for loss of data / information for less than a day
Again we can divide avaliability into 3 classes :
Class 1 - Tolerance for loss of data / information for more than a week
Class 2 - Tolerance for loss of data/information for more than a day but less than a week
Class 3 - Tolerance for loss of data / information for less than a day
Saturday, March 17, 2007
Data Security - Integrity
Integrity means ensuring data , information is preserved in its original form and
not modified or spoof as in the case of email.
To ensure that we can put in a technical control like using
digital signatures when sending emails
How other ways can we do it , please suggest
not modified or spoof as in the case of email.
To ensure that we can put in a technical control like using
digital signatures when sending emails
How other ways can we do it , please suggest
Subscribe to:
Posts (Atom)