03 Sep 2014
03 Sep 2014

Information security is a concept that is more prominent than ever, but it is often missing in the minds both of people and companies. Companies are very concerned about managing the security of individuals, mostly to avoid accidents at work, but only in the last period the perception of a good IT security has become synonymous with a “healthy” business.

Information technology and telecommunications have become a vigorous part of everyday life (last year more than 31,000 Petabytes of data were exchanged). Companies today must appear on the web not only representing themselves, but also providing a range of services to its customers, to its partners and also to its employees.

From the strategic point of view, it is essential that the importance of information security is clear in the business mission, in order to protect corporate data.

For years, companies have managed their IT business without having a clear concept of a well-structured policy in the security framework, nor even having defined procedures aimed at mitigating the risks of cyber-attacks. As long as profits were greater than the risks and attacks, having security procedures could seem like a waste of time (and money). But when cyber-crimes are increasing day by day, an attack is not only annoying but the company loses money and its image. The company is forced to take measures, and they are sometimes taken too late.

It is therefore necessary to have clear understanding of a company security policy. A policy is a principle that guides the decision-making process toward a goal.
It is clear that to achieve the goal of an effective and efficient business data secure exchange proper handling procedures are to be implemented.

There’s not a minimum or a maximum number of policies and procedures. The complexity and the number of procedures depend on the risk acceptance and the business.
Security policies the most important (and often the most neglected) effective actions aimed at reducing the risk of a firm and it is the foundation to repelling attacks for the company. The problem is that companies often take into account unrelated procedures, perhaps by taking examples from web searches, which are not easily reconciled and are ill suited to business models. In the case where a company formulates and adopts IT security policies, some do so to comply with a legal requirement and then follow the correct procedures for policy implementation.

What is the correct way to create the right security policies? Firstly, you should check the regulatory environment in which we move and the type of data you want to protect. Another important fact is that the references to security policies are not just found from IT professionals who have to implement them, but from the whole company (e.g. from legal and HR). The rules must be:

  • Clear
  • Simple
  • Understandable
  • Achievable

by all employees and with the means at their disposal. A long security policy document with hundreds of points described in detail will be unenforceable (and incomprehensible). Security policies must be shared and approved even among non-IT professionals (legal offices, administrative), for which a leaner policy will be more manageable. Security policies need to explain the “why” there is need to protect, and the “how” will be handled by the procedures.
It is good to ask yourself a few questions when you approach writing a security policy:
Is this policy truly valuable to the pursuit of safety results?

  • Is the policy aligned with business goals?
  • Is it a few rules or is it more about a best practice?
  • Who should use this policy? (For who is this policy for?)
  • What level of detail do we want to give it?

Always remember that security policies should be subject to periodic review but especially remember to monitor them. If for some reason you do not get the desired results, it is possible that it is not because the policies were not followed, but rather because they are impractical or incorrect. Similarly, changes in the business goals policy may become obsolete, inadequate or exaggerated. It is good not to incorporate safety procedures in the policy because the former are more prone to revision and modification (for example, changing the version of the software or the operating system for a given service ) and should have a more streamlined approval process.

Today, managing the security of your IT infrastructure with robust policies and proper procedures should be considered “core” as much as the same business goals that manages this infrastructure. Every company is an entity in itself; it would be good to look at its own security policies with the same creativity and with the same force it takes for your business.

Leave a comment
More Posts