Role of Isp
Essay by gcloud11 • January 4, 2014 • Essay • 1,038 Words (5 Pages) • 1,672 Views
Every company needs security policies, especially with so much business done through online websites now. There are rules and standards that the company needs for maintaining information systems security. Employees can be a liability but can be an asset when trained properly. When a company has multiple security needs, there are different levels of protection that can be implemented.
"Policies and procedures are always important, but they are critical for security. You need to create and publish your policies to gain consensus on how you will handle specific security issues and to ensure that everyone clearly understands the policies" (Microsoft, 2013). This means all employees, the chief information security officer, security managers, security administrators and analysts, security technicians, security staffers, security consultants, security officers and investigators, and help desk personnel. Every person that is involved with the company absolutely must understand policies and procedures. "A critical factor for ensuring the success of your network security staff is to be sure they are well trained and kept up-to-date as technologies change" (Microsoft, 2013). Security Education, Training, and Awareness (SETA) is how the company can ensure employee understanding of the policies and rules and guidelines. When employees are not ready to handle the new technology or understand the policies, SETA should be used. Security education refers to offering courses to employees about information security. Training involves giving employees detailed direction and hands-on practice with the technology. Finally, awareness, is so important though often under-utilized. Companies need to demonstrate to employees the importance of security and keep it fresh in the company constantly. Good ways to raise awareness in send out memos, make flyers and posters, even make pens with reminders of the company policies.
"A security policy is often considered to be a "living document", meaning that the document is never finished, but is continuously updated as technology and employee requirements change" (Rouse, 2007). A company will always be evolving with the changes of society, thus, their security needs and policies will follow suit. It is imperative that the company gets the security policy right every time. It is also important to know what kind of policy is needed. There are different policies to consider: EISP (Enterprise Information Security Policy), ISSP (Issue-Specific Security Policy), and SysSPs (System Specific Security Policy).
An EISP is a very high-level policy and sets the policies for the entire company and must adhere to state laws and be able to stand up in court if challenged. It follows the mission statement of the entire company and sets the tone for all the organization security efforts. This policy "assigns responsibilities for the various areas of information security including maintenance of information security policies and the practices and responsibilities of the end users" (Whitmman, Mattord, 2010). EISP can be very good for a big company because it covers broad spectrum of security from the IT support to the end user. But, it can cause problems due its generalities and lack of solution for specific issues. This is where and ISSP comes in.
An ISSP is much more detailed than
...
...