Password Protected Information Security Policies
The
purpose of this document is to suggest a company a Password Protected
Information Security Policy to prevent information leakage and
in-appropriate using of computers.
This set of
policies can be an appendix to companies’ Information Security
policies.
The
contents:
- Protecting
Documents with Passwords
- Sending
Information to Third Parties
- Dealing
with Sensitive Information
- Delivering
Awareness Programmes to Permanent Staff
- Detecting
incidents
- Responding
to Information Security Incidents
*
- The reference in “related reference(s)” section are to ISO 17799
AND BS 7799
Author
note
The
“Password Protected Information Security Policies “document was
written for www.FindProtected.com
by Jerry Watts, an independent IT security
consultant. You can contact Jerry Watts by e-mail jerry.watts@aks-labs.com
Copyright
note
The
“Password Protected Information Security Policies “document was
written for www.FindProtected.com
by Jerry Watts, an independent IT security consultant. You
may use any part of this document for your purpose leaving the
reference to www.findprotected.com.
Protecting
Documents with Passwords
POLICY
STATEMENT
“Sensitive
or confidential electronic data and information should be secured,
whenever possible, with access control applied to the directory on the
computer concerned. The sole use of passwords to secure individual
documents is less effective, and hence discouraged, as passwords may be
either forgotten or become revealed to unauthorized persons.“
EXPLICATIVE
NOTES
The
simplest way to limit access by unauthorized people to your
documentation is to apply a password. You may however forget your
password and then encounter problems accessing your data.
Information
Security issues to be considered when implementing your policy include
the following:
-
Opening
a document or spreadsheet may be impossible where the password has
been forgotten or the owner is no longer available.
-
Owner
can only protect with password sensitive / confidential electronic
data, but not his personal files.
RELATED
REFERENCE
9.1.1
Access control policy
Sending
Information to Third Parties
POLICY
STATEMENT
“Prior
to sending information to third parties, not only must the intended
recipient be authorized to receive such information, but the procedures
and Information Security measures adopted by the third party, must be
seen to continue to assure the confidentiality and integrity of the
information.”
EXPLICATIVE
NOTES
When
sending information to external third parties the principal
consideration should be the integrity and confidentiality of the data.
Information
Security issues to be considered when implementing your policy include
the following:
-
Third
parties receiving the data may not treat it in a confidential
manner, resulting in the data being accessed by unauthorized
persons.
-
There
should be some information security procedures at the offices of the
recipient that involve securing data, for example, password
protection.
-
Information
security procedures at the offices of the recipient may be
inadequate.
RELATED
REFERENCE
8.7.1
Information
and software exchange agreements
Dealing
with Sensitive Information
POLICY
STATEMENT
“Sensitive
information is to be classified as Highly Confidential and must be
afforded security measures which, in combination, safeguard such
information from authorized access and disclosure.”
EXPLICATIVE
NOTES
Information
is usually sensitive, especially in competitive markets. Information
Security issues to be considered when implementing your policy include
the following:
-
Sensitive
information could be lost or stolen.
-
Sensitive
information may be given to unauthorized parties unintentionally.
-
Technology
security measures should include access limitation by strong
password protection.
RELATED
REFERENCE
5.2.1
Classification guidelines
Delivering
Awareness Programmes to Permanent Staff
POLICY STATEMENT
“Permanent
staff are to be provided with Information Security awareness tools to
enhance awareness and educate them regarding the range of threats and
the appropriate safeguards.”
EXPLICATIVE
NOTES
It
only takes a single lapse to put your organization's data and
information resources at risk. Therefore, ideally, staff would develop
their awareness of Information Security risks so that it almost becomes
second nature. Information Security issues to be considered when
implementing your policy include the following:
-
Sensitive
data may be acquired unlawfully, damaged, or modified because staff
have become complacent.
-
Sensitive
data may be compromised by staff assuming new duties without
specific Information Security training.
RELATED
REFERENCE
6.2.1
Information security education and training
Detecting
incidents
POLICY
STATEMENT
“Information
Security incidents must be properly investigated by suitably trained
and qualified personnel.”
EXPLICATIVE
NOTES
Your
investigation into an Information Security incident must identify its
cause and appraise its impact on your systems or data. This will assist
you in planning how to prevent a reoccurrence.
Information
Security issues to be considered when implementing your policy include
the following:
-
A
recurrence of data loss / corruption during a particular phase of
processing may be indicative of the inappropriate closure of a prior
Information Security incident.
-
If the
organization entrusts its information security to untrained and
inexperienced personnel it may incur the risks involved in adequate
responses to reported incidents. Suitable training should always be
provided.
RELATED
REFERENCE
6.3
Responding
to security incidents and malfunctions
Responding
to Information Security Incidents
POLICY
STATEMENT
“The
Information Security Officer must respond rapidly but calmly to all
Information Security incidents, liaising and coordinating with
colleagues to both gather information and offer advice.”
EXPLICATIVE
NOTES
All
Information Security incidents have to be evaluated according to their
particular circumstances, and this may, or may not, require various
departments to be involved: Technical, Human Resources, Legal and the
owners of information (local department heads). If it appears that
disciplinary action against a member of staff is required, this must be
handled with tact.
Information
Security issues to be considered when implementing your policy include
the following:
·
An
inappropriate response to an Information Security incident may result
in your organisation being subjected to further incidents, culminating
in the loss of business critical services.
·
Responses
to Information Security incidents should be carried out in accordance
with a predefined plan and procedure. If this process is not carefully
followed there is the danger that the response will be haphazard and
uncoordinated.
RELATED
REFERENCE
8.1.3
Incident
management procedures
YOUR FEEDBACK
Please, let us know what you
think about this article:
|