Security has remained among the most challenging and perennial concerns of IT managers for the last few years, increasingly so because of the dynamically changing computing and communication paradigms, largely initiated by the Internet and accelerated by a host of newer platforms and devices.
As long as computing was largely desktop-dependent and notebook users were few, information security concerns were limited too, until first the Internet and later the USB drives arrived to give information portability disruptively new meanings. Ever since, security has been a nightmare for IT managers. The surge in notebook adoption and the associated growth of wireless networks has added to the woes of IT managers, while the advent of smart phones has further complicated matters.
And just when IT managers were beginning to arm their enterprises with new security arsenals, the mother of all breachesthe social networking sites and the ilksurfaced, and then grew at a colossal pace, making all security controls go flying in the wild.
Thats right! Security controls dont seem to work anymore in traditional ways! The answer to the problem lies, to a large extent, in setting up a policy-based security infrastructure.
In todays 2.0 world, how does one protect an organisations information assets that are potentially exposed to a cross-continent Facebook user base of 400 million?
A sound stepping stone to the answer, no doubt, will begin with a security policy that is thorough and relevant in todays context.
But, a security policy itself is no new a concept and its importance has not been emphasised any less any time. Yet, a large number of organisations still dont have the policy in place. In fact, many of them are yet to fully grasp the seriousness and relevance of having such a policy in the first place.
Also, many organisations that do have a policy continue to be plagued with the problem of its ineffectiveness. In this background, lets look at some of the essential objectives that a security policy must be able to achieve.
Regulatory and legal compliance: The IT (Amendment) Act 2008, which got notified in November 2009, requires that organisations must put due mechanisms in place to ensure information security and privacy. A new entry in the Act in the form of Section 43A reads: Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected.
Effective communication of objectives: For the policy to be effective, it should be able to unambiguously define the security objectives of the organisation and ensure that they are easy to read and understood by all employees.