BTEC National in IT Organisational systems security - Policies and guidelines for IT security (P4)

Updating of security procedures:

The security procedure should reflect the technology used, if the procedure is not on par with the level of technology used then the security procedure will be flawed. The procedures must be regularly reviewed and updated, these updates need to reflect what was outlined to be improved in the review and needs to be in date with current knowledge on security threats. However, the update may have a negative impact on the existing systems and so should be tested before applied to the entire organisations systems. Your security procedure should include things such as; never turn off your firewall, don't share you password, don't leave your PC unattended and logged in.

Scheduling of security audits:

A security audit is a technical assessment of how secure something is, be it physical, hardware, software or data security. A security audit needs to take place on a regular basis to ensure that the current policies are good enough and are effective. This is often done without the knowledge of employees or security personnel to ensure that the findings of the security audit are accurate and relevant. This may be attempted in several ways, someone may attempt to break into the premises to test physical security of the organisations location, or it may be done by the use of a hacker or implanting a virus in the existing systems. Security audits are important to help provide information relating to the improvement of the disaster recovery policies and security procedures.

Codes of conduct for email usage policy:

This is a set of rules which outlines how a person is to behave within a group setting. For your company this will be used to help improve system security and will attempt to avoid downloading any Waldemar or be subject to any social engineering which may harm your systems or company. This will be enforced by the use of a contract that your employees must sign putting legal obligation on them to follow the codes of conduct. In relation to email usage it may include things such as; size of attachments, how to manage the in box, what personal view may be expressed, response times, forwarding of emails to other, unacceptable behaviour such as harassment or sending spam among other things. Included in this should be the right for the network administrator to monitor employees emails.

Surveillance policy:

This may be relate to the monitoring of premises by the use of CCTV cameras to improve physical security, or it may relate to the monitoring of how your employees use the systems you have provided for them to carry out the work they have been hired for. You may or may not make employees aware that the systems they use and how they use them is being monitored, if you do not tell them you may find the individuals who cannot be trusted to work professionally or efficiently, however, on the flip side if you do make them aware of this then they are less likely to misuse the systems. It would be my advice to make sure your employees are aware of your surveillance policy, how it operates and why it operates as it may cause some people to become unsettled if they find out at a later date and you did not mention this to them. Either way you must make sure that you know all of the surveillance laws that apply to ensure you are not breaking the law.

Risk management:

This is the assessment and strategy in place in relation to the risk assessment. Basically, you identify potential risks to your organisation and as a result put things in place to try and reduce the chance of these risks occurring and the effect of these risks if they come into being. There are several approaches to risk management, you may be reactive by changing how your company operates based on the information provided in the risk assessment. Or you can be proactive, by updating security policies and procedures reflecting the potential risks outlined in the risk assessment and reducing the chance of these risk coming into effect. Risk management can refer to your systems security and be tackled by keeping systems software updated and installing anti-virus programmes or it may simply be in regards to health and safety.

Budget setting:

This is how much money you put into your systems security and it should reflect the amount of financial damage that may occur as a  result of a security leak of your systems. Budget setting in relation to to systems and organisation security should not be an after thought, without proper funding for an appropriate security system the risk of loss increases exponentially. Budget setting in general in itself is a security risk, if it is done improperly then the organisation as a whole suffers and may even become bankrupt. Smart budget setting for systems security is therefore imperative, things that must be considered in terms of the cost to benefit ratio are as follows; software licensing, security personnel wage, how much an audit will cost, the cost of your chosen disaster recovery plan for example the cost of backup media and the training of staff for your security procedures and codes of conduct.