Information Security Policy and the principles of its organization
In the modern world, the notion of "politicsinformation security "can be interpreted both in a broad and a narrow sense. As for the first, broader meaning, it denotes an integrated system of decisions that are taken by some organization, documented formally and aimed at ensuring the security of the enterprise. In the narrow sense, this concept is a document of local significance, which specifies the requirements of security, the system of measures, the responsibility of employees and the control mechanism.
Integrated Information Security Policyis a guarantee of stable operation of any company. Its all-roundness lies in the thoughtfulness and balance of the degree of protection, as well as the development of correct measures and control systems in the event of any violations.
All organizational methods play an important role increating a reliable scheme for protecting information, because the illegal use of information is the result of malicious acts, negligence of personnel, and not technical malfunctions. To achieve a good result, we need a complex interaction of organizational and legal and technical measures that should exclude all unauthorized penetrations into the system.
Information security is a guarantee of quiet operation of the company and its stable development. However, the basis for building a qualitative defense system should be the answers to such questions:
What is the data system and what degree of protection is required?
Who is able to inflict damage to the company by disrupting the functioning of the information system and who can use the information obtained?
How can such a risk be minimized without disturbing the well-coordinated work of the organization?
The concept of information security, suchway, should be developed personally for a particular enterprise and according to its interests. The main role in its qualitative characteristics is played by organizational measures, which include:
Organization of an established system of access mode. This is done to exclude secret and unauthorized entry into the company's territory by unauthorized persons, as well as control over the stay of the organization's personnel in the room and the time of its departure.
Work with employees. Its essence consists in the organization of interaction with personnel, selection of personnel. It is even more important to get acquainted with them, prepare and teach the rules of working with information, so that employees know the scope of its secrecy.
The information security policy also provides for the structured use of technical means aimed at the accumulation, collection and storage of information of increased confidentiality.
Carrying out work aimed at controlling personnel in terms of using secret information and developing measures that should protect it.
The costs of such a policy should not exceed the amount of potential damage that will result from its loss.
The information security policy shouldpay significant attention to the processing of information by automated systems: independently working computers and local networks. It is necessary to correctly determine the necessary degree of protection for servers, gateways, as well as the rules for using removable media.
Information Security Policy and itsefficiency largely depends on the number of claims made on it by the company, which can reduce the degree of risk to the desired value.