Policies and Procedures in Information Technology Security

Posted: August 27th, 2021

Student’s Name

Instructor’s Name

Course

Date

Policies and Procedures in Information Technology Security

Abstract

This paper aims to explain how organizations need to design and implement maintainable IT security policies and procedures. Today, designing sustainable information and technology security policies is one of the most critical challenges. In addition to being the first step in a corporate information security policy program, this should be an ongoing process to ensure that the policy is high-quality, comprehensive, and straightforward. IT Security policies and procedures must align with the organization’s set objectives, strategic goals, and cultural needs. Therefore, this is salient for organizations that operate in various economic, geographic, legal, cultural, and political contexts.

Introduction

IT security is a growing concern for organizations, particularly in the current operating environment faced with different cyber related challenges. Hence, appropriate policies and procedures are needed for effective operations (Landell 117). Many companies use standardized information security policies and procedures developed by some international information security companies, while some organizations create their policies based on their needs. In this case, implementing an IT security policy program does not guarantee that all employees understand and follow the recommendations(Alotaibi, et al., 133). However, IT security policies and procedures ensure that the organization’s information protection rules and regulations are mastered and followed (Safa, Sohrabi, &Steven, 73). Thus, policies and procedures in IT Security should be an integral part of a company’s information security management plan.

Information is one of the resources the company relies on most. If the organization’s vital information is compromised, it may have serious consequences, such as loss of revenue, loss of customer confidence, and possibly legal action (Peltier 13). Therefore, the information must be protected. The company may face unique challenges in developing policy and procedures for IT security due to diverse threats, risks, and the need for tolerance in the dynamic IT environment (Da Veiga 77). In some cases, an organization may need a region-specific information security policy that may be more stringent than a general information security policy. Thus, the policies and procedures developed should be relevant to the organization and comply with the working environment.

Literature Review

In today’s rapidly changing and challenging environment, developing effective IT security policies and procedures is critical to ensuring regulatory compliance and useful information relay. According to McCormac, IT security policy and procedure are the foundation for reliable information (152). Like any foundation, it must be well-constructed and designed. Hence, effective IT security policies must be implemented to support its business goals and objectives (Mello, Patrick, & Dirk 5). Thus, an effective IT security policy requires that users understand and follow IT security policies.

Likewise, usability and flexibility are critical aspects of the IT security policies and procedures developed. This is particularly concerning the designing process, formulation, and implementation requirements (Alotaibi, Mutlaq, &Nathan, 4). Equally, an IT security policy should be permanent and not rigid. Although the importance of an IT security policy for information security is recognized, only a few empirical analyzes of its structure, impacts, or effectiveness have been carried out in this role (Alotaibi, Mutlaq & Nathan, 9). According to Baskerville, designing a justifiable IT security policy is essential for protecting company information resources and systems (3). Otherwise, the consequences of a breach like an information security policy can be costly. Yeagley claims that IT security policy should be created with a clear understanding of the expected results and the need to be flexible and easy to use (2). An information security policy should contain clear definitions and user responsibilities. It should also aim at influencing behavior and engage employees in the organization’s efforts to protect its information assets. Thus, the IT security policy plays an essential role in preventing, detecting, and responding to security threats and breaches.

Research Questions

The main research question is as follows:

1. How to design and implement a conducive IT security policy and procedure to protect the information in a flexible and usable approach.

Hypothesis

1. Companies with well-developed policies and procedures of IT security face limited challenges in their operations.

Content

IT security in an organization can be left in a less effective state when employees do not adhere to information security guidelines. In some cases, employees find that compliance with information security policies negatively impacts their daily work and their ability to perform their jobs (Landoll 77). Furthermore, Landoll claims that they find this approach tedious and time-consuming (103). Employee failure to comply with IT security guidelines is a significant problem for an organization’s security. In most cases, IT security issues are not a technical problem but rather a human problem. Therefore, the biggest threat to security in a company is its employees.

IT security policies and procedures must be fair, reasonable, understandable, flexible, and easy to use. If these procedures and policies are inflexible and unenforceable, employees will not follow them; thus, leading to the termination of these policies (Da Veiga 13; Peltier 33). According to Alkahtani, IT security guidelines should be based on human-machine interaction rules (118). Hence, regardless of their knowledge and information, employees should read, understand, follow, adhere to, and comply with the organization’s culture and objectives. 

Conclusion

An IT security policy, a design product, and an organizational document lists the actions employees should or should not take. Designing these policies does not necessarily adequately address all situations. However, the product and implementation principle must indicate its implementation when designing IT security policies and procedures. Product development and design are a time-consuming and complicated process for companies, as many participants from multiple departments have to make decisions outside of their expertise area. Thus, companies often buy ready-to-use IT security policies from various sources like ISO, manuals, or adoption of government agencies’ information security policies.

Future work

Further research should be conducted on how sound IT security policy protects systems, personal and organization information from a wide range of threats. Notably, it should focus on the service as an external visual manifestation of its commitment to IT security policies and procedures.

Work cited

Alkahtani, Hend K. “Safeguarding the Information Systems in an Organization through Different Technologies, Policies, and Actions.” Computer and Information Science 12.2 (2019): 117-125.

Alotaibi, Mutlaq, Steven Furnell, and Nathan Clarke. “Information security policies: a review of challenges and influencing factors.” 2016 11th International Conference for Internet Technology and Secured Transactions (ICITST). IEEE, 2016.

Baskerville, Stephanie. “A Comprehensive IT Security Policy to Protect You from Cyberattacks.” 7 Nov. 2018, www.proserveit.com/blog/creating-comprehensive-security-policy.

Da Veiga, Adéle. “Comparing the information security culture of employees who had read the information security policy and those who had not.” Information & Computer Security (2016).

Landoll, Douglas J. Information Security Policies, Procedures, and Standards: A Practitioner’s Reference. CRC Press, 2017.

McCormac, Agata, et al. “Individual differences and information security awareness.” Computers in Human Behavior 69 (2017): 151-156.

Mello, Patrick A., and Dirk Peters. “Parliaments in security policy: Involvement, politicization, and influence.” The British Journal of Politics and International Relations 20.1 (2018): 3-18.

Peltier, Thomas R. Information Security Policies, Procedures, and Standards: guidelines for effective information security management. CRC Press, 2016.

Safa, Nader Sohrabi, Rossouw Von Solms, and Steven Furnell. “Information security policy compliance model in organizations.” computers & security 56 (2016): 70-82.

Yeagley, Geoff. “IT Security Policies and Procedures: Why You Need Them.” 2015, www.compassitc.com/blog/it-security-policies-and-procedures-why-you-need-them.