Wednesday, September 20, 2017

Effects of weak information Security Policy (an Information Security Student Perspective)

The main objectives of information security are: confidentiality, integrity and availability. To achieve these three objectives, security policy needs to be the basis of information security planning, design and implementation; and this need to be applied to every department in an organization including general staff. Even though policies do not specify how software and devices should be operated; however, policies direct how issues should be addressed and how technologies should be used in order to enhance security.  
An Information security policy will be considered weak if it does not meet the criteria of an effective one. The criteria include: distribution, review, comprehension, compliance, and uniform. Therefore, an information security policy is weak if: 
·         The policy has not been made readily available for review by every employee within the organization.  
·         The organization is unable to demonstrate that employees (including: visually impaired and non-English employees) can review the policy document.  
·         The organization is unable to demonstrate that employees understand the content of the policy document.  
·         The organization is unable to demonstrate that employees agree to comply with the policy. Example: employee did not sign agreement form. 
·         The organization is unable to demonstrate that the policy has been enforce effectively upon every employee.  
Any of these five points will make an Information security policy weak. This is because a major data breach may be caused by a single employee knowingly or unknowingly breaching the InfoSec policy.

Impacts of weak or lack of information security policy includes: Security breaches, beach of confidentially, virus attack, loss of important data, damage of equipment, unauthorized access to information, theft, and other major security issues.

Example of weak security policy:
In June 2017, Miami-Dade school district was sued by 2 former students because the students found their social security numbers and personal information posted on the school district’s website. The students asked for both monetary damages and an “overhaul” of school district’s policies on the protection of student information. See full story here

Giscard D Yoryor
Metropolitan State University

References:
http://www.miamiherald.com/news/local/education/article157361084.html   
Principles of Information Security: Michael E. Whitman/ Herbert J. Mattord



Posted by at No comments:
Subscribe to: Posts (Atom)