Subtitle

Andrew Dobson


BTEC Level 3 Subsidiary Diploma in IT
Unit 7: Organisational Security
Assignment 1 - P4, P5 & P6

Page 1 - Policies

Security Policies and Guidelines


It is becoming more common for business organisations to have their own security policies and guidelines regarding the use of IT technologies. This ensures that anyone related to the organisation, including employees, departments, suppliers and customers, follow an established set of rules to ensure their own welfare, as well as that of the business system and the data held within.


Disaster Recovery Policies

Business often put in place disaster recovery policies that would prepare them to take action when a major disaster happens. The range of disasters could come under any of the following:
  • Natural disasters
  • Fires
  • Power failures
  • Terrorist attacks
  • Organised disruptions
  • Technical failures
  • Human error
  • Malware, such as viruses
  • Legal issues
  • Organised strikes
  • Loss of employees

Procedures that are often involved in disaster recovery policies may include relocating a copy of the original data to an alternate site, hiring additional staff, purchasing various security equipment and insurance support to fund the aftermath of the disaster and the recovery process that follows.


Updating of Security Procedures

Keeping security software and equipment up to date is important for any business. Checking security policies for currency as well as comparing the policy against new information and threats is essential. In addition, it is also important that all security updates should be tested regularly before implementing them across the whole system as security updates may have an impact on systems that have already been established.


Scheduling of Security Audits

In addition to updating security software, both physical and network security audits would also need to be scheduled at regular intervals. These security audits are often done without the knowledge of the organisation's employees as an attempt to prove the authenticity of its systems.
In network management, a security audit provides important information on recurring issues that could be potential signs of a threat. This aduit is often combined with simulated attacks, such as a hack or denial of service attack, which are used for testing purposes. These simulated attacks do not cause actual damage like the real thing, only a simulated attempt at breaking through system security, making them useful for establishing the validity of existing systems.
Scheduling of security audits can also be done physically. Some organisations employ covert personnel as an attempt to break into their own physical security systems. While breaking into a building may sound extreme, it is a direct and effective way of testing physical security measures.


Codes of Conduct

Offering employees, contractors, customers and suppliers complete freedom over an orgnisational system is not reccommended, a line had to be drawn somewhere. By creating codes of conduct that are signed by individuals who need access to the system, this ensures that they had to undertake a legal responsibility that is being placed on them.


Signing a code of conduct would involve having the system's users to sign, agree and follow a variety of different policies. These policies are put in place to ensure that all users will abide by rules that are tailored to the organisation's needs.


Surveillance Policies

Placing a CCTV system within the organisation could potentially invade the privacy of individual employees, causing distress among the workforce. How CCTV would be put in place is dependant on the agreement of employees as they would want to know the reasons for using it, how often monitoring and surveillance may occur, where it will be used and what type of surveillance equipment would be used.


Risk Management

A risk management is a predetermined strategy based on the prediction and measurement of possible issues that could happen to the organisation. Depending on the type of threat and how severe it can be, an organisation may decide to use one of the following strategies...
  • Ignore the risk entirely and let it play out, for example when there is a change in the economic climate or if a competitor is attempting to undermine the organisations products.
  • Treat the risk by investing in an upgrade or taking an alternative approach.
  • Eliminate the risk by directly attacking it, such as stopping a hacker or a malware attack.
  • Transfer the risk by allowing the organisation to adapt as an attempt to overcome the problem.

Budget Setting

By enforcing the annual management of finances and budget settings, this ensures that organisational security is maintained at an acceptable level. The best security for an organisational system is not free and a regular investment would have to be made in order to maintain complete control. The following must be considered for an effective annual budget for organisational systems security...
  • The replacement cost of outdated equipment and software.
  • The cost of each security audit.
  • The cost of staff training.
  • The cost of licensed software.
  • The procurement of extra support and consultation.
  • Staff wages for employees working in organisational system security.

No comments:

Post a Comment

Subscribe to: Posts (Atom)