Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Information Systems Policy


Published on

Published in: Business, Technology
  • Be the first to comment

Information Systems Policy

  1. 1. Information Security Policy Presented by Mr Ali Sadhik Shaik BE (ECE), PGDVLSI, MBA (IS)
  2. 2. Agenda • Introduction • Security Policy Framework • Need for IS Policy • E-mail Policy: SandZ Technologies • Implementing security policy • Conclusion Information Security Policy
  3. 3. Introduction • Tangible to intangible assets based organizations • Need for protecting information assets • The objective of the policy is to convey the risk concerning information security and what preventive measures a company has adapted. Information Security Policy
  4. 4. Security Policy Designing Framework Commitment Risk Assessment Risk Mitigation Final Policy Information Security Policy
  5. 5. Commitment • Educate the top management • Align according to corporate vision and business objectives • We also need to analyze the following: • What are the information assets of a company in terms of hardware and software, network as well as the future investment plan in IT/IS? • What is the company's dependence on IT in real measurable terms? • What is the impact of the threat? Information Security Policy
  6. 6. Risk Assessment • Business risks, physical risks, environmental risks, technological risks, human risks and so on……. • Tabulate and prioritize the risks involved based on impact and probability of occurrence. Ex: Probability of a website getting hacked is an annual frequency of 0.5 i.e. once in 2 years, and the business loss for each event is Rs 100 lakhs. So the product of probability and consequences gives us an Annual Loss Expectancy of Rs 50 lakhs (0.5 X 100). Information Security Policy
  7. 7. Threats Natural and Environmental Threats: Database Security: Disaster recovery Network & Telecommunication Security Backup and recovery WAN recovery Human Threats: Operating Systems Security: Password Security & Controls Firewall Security Internet access and security Data Classification Web server Security Intranet Security Virus-Protection E-commerce Security Data encryption Email security: Administrative Controls: Technical controls Physical Security Logical Access Controls Incidence Response management Program Change Controls Punitive actions Version Controls Application Software Security Information Security Policy
  8. 8. Risk Mitigation • Security is not possible with single defense. Have multiple layers of protection. • The measures for risk mitigations could be: Administrative Measures Physical Measures Technical Measures Information Security Policy
  9. 9. Risk Mitigation Administrative Physical Technical Measures Measures Measures • Policies, • Perimeter • Logical Access Procedures, Control Control • Network Access Standards and measures • Physical Access Guidelines; Controls • Personnel • Identification Control • Intruder Screening and and Security Detection Authentication awareness • Fire Protection devices training • Data Encryption • Environmental Monitoring. Information Security Policy
  10. 10. Risk Mitigation Security Efforts 25 Admisistrative 75 Technical Information Security Policy
  11. 11. Final Policy • Security policy is not the last and final word. • It is a master plan, which identifies a company's security concerns and is the first step towards building a secure infrastructure. Information Security Policy
  12. 12. Anatomy of Security Policy Specific issues Policy that the policy Best practices Statement is addressing Mandatory Policy Scope Policy details practices Compliance Procedure for Essential Validity requirements implementation Policies Monitoring and Owner Review-details reporting Annexure mechanism Information Security Policy
  13. 13. Security Policy Information Security Policy
  14. 14. SandZ Technologies • Mainly concentrated into providing online education in the domains of electronic design. • E-mails in and out of company are crucial and are confidential. • E-mail policy to reduce the risk of hampering company image and important information. Information Security Policy
  15. 15. Information Security Policy
  16. 16. Information Security Policy
  17. 17. Implementation of Security Policies • Conduct Security Awareness Seminars, workshops and quizzes. • Have Security Week for the organization. • Prepare Do's & Don'ts of Security Policy, distribute and display them. • Create posters, stickers, t-shirts, mugs and mouse pads all with security messages. • Run slogan competitions. • Perform security audits. Information Security Policy
  18. 18. Conclusion An ounce of prevention is better than a pound of detection and correction Information Security Policy
  19. 19. References • Avinash Kadam, Writing an Information Security Policy, Network Magazine,Issue of october 2002. Chief Executive - Assurance and Training at Miel e-Security, Pvt. Ltd. • Whitman ME & Mattord HJ (2007) Managing Information security, Thomson Course Technology. Information Security Policy