IT Security Policy Framework (Case Study Sample)

IT Security Policy Framework Name Institution I.T Security Policy Framework A comprehensive security program is of paramount importance for the establishment of a reliable Information Technology security Policy Framework. It will ensure that the information of an organization is secure. All types of organizations including medium-sized companies ought to have such policies implemented. In this paper I will draft an IT Security Policy Framework for a medium-sized Insurance organization (Desman, 2002). After having reviewed three different alternatives with the IT team; I recommended the Bind view/Meta Security Group Policy Operations Center solution as the basis of the framework. In this solution there are 7 domains in which policies can be grouped into and these include; Asset Protection, Asset Management, Acceptable Use, Threat Assessment and Monitoring, Vulnerability Assessment and Management and Security Awareness. It is very simple for managers of the organization to understand this framework. Having put all the documents of the organization in proper categories it becomes easier to establish where to fit each one of them. In addition, with the solution came with a lot of study findings compiled together in policy documents. With this document there is no doubt that this is was the model to apply. For better representation of the organization we also included Business Continuity & Drip as well as Physical Security. I decided not to write the physical securities afresh but instead I chose to connect to the ones already in place from two other organizations of security to assist the end user to access all the information collectively. This is what the final framework would look like; Physical Security…. 1. Asset Identification Classification 2. Asset Protection Business Continuity 3. Security Awareness 4. Asset Management Threat Assessment & Monitoring 5. Vulnerabulity 6. Assement Management 7. Acceptable Use In order to create the design of the IT security Policy Framework for the organization there is need first to define the policy of the Insurance organization. This would form the basis of all the decisions and to guide end users on what they should and what they should not do. The use of the term procedures would be more appropriate for the organization’s managers to understand better. The organization’s level information security policy would be supported by the policy documets.More details would be found I procedures but these documents would not operate. The organization would require both the procedures and the policies lack of which would force the end user to get an approval from the Security Manager and the management. Also in the framework I would include some checklists and guidelines although these are not requirements. For instance the Acceptable Use category would include statements like; frequently Asked Questions, Email Security Procedure, Email Security Guidelines & Instant Messaging procedure. Owing to the huge economic benefits from the private businesses that heavily rely on the use of technology the United State’s government plays a role in regulating these markets with the aim of maintaining a reliable source of tax revenue, enhancing a stable economy and protecting the consumer (Finklea, 2010). The size of an organization determines the number of laws that the organization has to cope with hence there are a myriad of factors to be considered to ensure that an organization’s control and security policies align with the U.S. laws and regulations. One of the factors to consider is the inventory; an organization’s inventory of information, hardware and software must be solid enough to show clearly where the information is fetched, kept and processed. The organization should be aware of the requirements of handling data of every regulation. Indicate how the organization handles information to the security policy. The organization’s requirements should be reflected in the security policies so as to enable the organization to learn how to deal with various regulations. It is recommended for an organization to select a security framework that will allow it to let the regulators know that it is applying the best acceptable guidelines, procedures, standards and practices (Schneider, 2000). If is not possible to use standard practices at times, it is recommended to prepare instructions to use as a guide. Applying the instructions consistently will eventually become like a standard procedure and even if the instructions cannot be used all the time exceptions can be documented. It is also recommended to map the security controls built to the related policies which in turn map to regulations. This will come in handy in indicating how far the regulatory requirements cover .This indicates the role of each security control. It is important for an organization to test and monitor all or most of the security control that is related to regulations that are to be complied with. There are a times when an organization is required to provide evidence to the regulators who ask to be shown a good compliance approach. A good beginning would be characterized by control mapping, framework and security policies. Having a mapping is a clear indication of a good understanding and the interest to comply. Efforts to test and comply also demonstrate that an organization is on the right track. Each of the seven domains in the developing an effective IT Security Policy Framework is presents business challenges in an organization. In the Asset Identification Classification if the security framework is such that the confidentiality of information is not only accessed by authorized persons then the integrity of protecting the completeness and accuracy of the information may be compromised. Ne...