Nemesys Computer Consultants Specialists in Information System Security, Cambridge UK

 
 
Nemesys Computer Consultants' Home Page
About Nemesys Computer Consultants - Specialists in Computer Security and Information Security
Our Computer Security and Information Security Services
Information Security Policy Development
Computer Security Reviews
Computer Security Risk Analysis
Firewalls and Internet Gateways
Software Development Services
Computer Security Training
Penetration Testing of Computer Security Controls
Computer Security Incident Response
Custom Computer Security Projects
Articles on Computer Security Issues
News About Nemesys Computer Consultants
Computer Security Career Opportunities
Computer Security Terminology Explained
A Guide To Our Web Site
Contact Us For All Your Computer Security Consultancy Needs
 

Information Security Policy
Information Security Policy

An Information Security Policy is a document or set of documents whose purpose is to define clearly the approach to information security that your organisation has decided to take.

Developing a security policy is an essential step in order to ensure that information security levels are consistently maintained on a long-term basis.

Without an effective security policy, the security of your information will be determined only by subjective "on-the-spot" judgements, which may be made by staff who are relatively inexperienced in information security matters.

To be effective, an Information Security Policy must be endorsed by the highest level of management, and all employees and third parties with access to your organisation’s information must be required to comply with it at all times.

Creating a comprehensive information security policy will allow all staff to have access to the security information that they require in order to fulfil their role in a security-positive manner.

Information Security Policy or Computer Security Policy?

We refer to the policy as an Information Security Policy, rather than a Computer Security Policy, because it is important that the policy addresses all information-related issues that could affect the business, both inside and outside the computer systems.

The Structure of an Information Security Policy

The term "Information Security Policy" is widely used, but often with greatly differing meaning.
Nemesys Computer Consultants Ltd uses the term "Information Security Policy" to encompass the whole of the documentation which defines a company’s stance on security issues.

A Security Policy may be divided into three "layers", where the scope of each layer includes the entire of the business, but where each layer contains documents of differing levels of detail. The three layers that we use are:

Information Security Principles - the top layer

An Information Security Principles document is typically 2-3 pages long, and sets out, in non-technical language, the reasons why the business needs to be concerned about information security, what needs to be achieved and the broad strategy of reaching these goals.

This document is designed to be signed off by the most senior person within the organisation as a demonstration of senior management commitment to security. This signoff is important to provide authority for the whole Policy structure, and to ensure that all staff understand that security is an important business issue for the organsation.

The Security Principles should be distributed to, and must be understandable by, every person in the company. They may also be used by the organisation to gain competitive advantage, by issuing them (or a subset of them) as a public declaration of the organisation’s stance on information security.

Information Security Standards - the middle layer

An Information Security Standards document is a more substantial document, specifying the business’s detailed requirements in each individual area of information security, based on the Principles. It is not, however, implementation specific – it states what must be achieved, not how to achieve it. Security Standards do not make reference to specific applications or operating system types. When the underlying technology changes, the standards should not need to be altered.

Information Security Guidelines (or Procedures) - the bottom layer

Each Information Security Guidelines document is environment-specific and is needed for each technology used by the business. It specifies in detail how the Security Standards are to be implemented by that technology.

The differences between these documents may be illustrated by a simple example:

Principles statement: We must carefully control who has access to our information.
Standards statement: Any person accessing Company information must be identified and authenticated using one of the following approved methods...
Guidelines statement: On Windows XP systems, logging into any user account must require a password of at least 8 characters.

What We Can Do For You

Nemesys Computer Consultants Ltd undertakes projects to develop Security Principles, Standards and Guidelines on a regular basis for clients across all sectors of commerce. A consultant would be pleased to discuss a project to create a set of information security policy documents for your organisation, either as part of a BS 7799 compliance project or to meet your own specific policy requirements.

To find out more -

Contact Us!


Copyright © 1995-2006, Nemesys Computer Consultants, Cambridge, Cambridgeshire, UK