Corporate security policy

For what security policy is necessary

The main objective of corporate security policy is to document rules of factory job in information security field. Without it interaction of workers with different resources will be regulated only informally and therefore the risk of violations and date leaks will increase. Introduction of corporate policy will increase discipline and the responsibility of workers and will construct base based on which it is possible to organize a company performance effectively.

When developing corporate security policy it is necessary to begin about risk identifications which threaten the company. It means first of all to define what data assets it is necessary to protect to what threats these assets are subject and what loss threatens the enterprise in case of implementation of these threats. Process of implementation of protective measures is always search of a compromise between convenience and risk reduction. Implementation of security policy is some kind of formalization of this compromise. Adoption of corporate policy will help to minimize situations in which the ordinary user does not perceive seriously the recommendation of cybersecurity department, and "bezopasnik" try to protect everything and from everything, interfering with workflows of the company.

There is an international standard of security ISO/IEC 27001 corresponding to the best international practices in the field of security. Certification passing (obtaining the declaration on compliance) on ISO/IEC 27001 grants full authority to claim that the information security of the company is at the highest level. However accomplishment of all requirements stated in the standard can be very costly and not always reasonable. Depending on specifics of business separate requirements of the standard can be adopted and by that "spread straws" on a case of contingencies. Besides, there are such standards and the managements as ITIL and CobiT representing much more detailed and volume documents in which the information security is a part of more global approach to the organization of management and on which certification is also carried out.

What should contain in corporate security policy

Security should be carried out at all levels, from the server to the end user. For example, the list of servers is formed (e-mail server FTP HTTP) and the list of the persons having to them access tasks and duties are defined. When developing regulations of security security policy of jobs, in particular policy of work with web resources is even more important. In it responsibility and duties of employees are regulated during the work on the Internet.

It is necessary to register all measures which the company applies to control of observance of these the politician in policy and to specify level of responsibility for violations of policy.

Provisions of corporate information security policy are complemented with the documents containing private politicians such as above described security policies of jobs and security policy of servers. It is important not to confuse policy of cybersecurity and the procedure. Requirements to information security of procedures are the most private document in policy of corporate security and describes direct measures for information security support in the course of work of personnel.

It is natural that the compulsory provision of information security support is effectively smoothly running work of collective. Errors in management and personnel management threaten not only the half-received profit, but also numerous violations of security policies.

Security policy observance control

There are different techniques of control of observance by workers corporate the politician. Various software, intended for monitoring of employees, is delivered as separately, and as a part of more complex products. Many DLP systems, such as Falcongaze SecureTower, in addition to the main function of data loss prevention, allow to make monitoring of work of employees and to monitor even those violations which did not lead to undesirable effects. And a method of fight against such violations — the sanctions provided by policy.

Control and regulation of a company performance can cause the protest among employees caused by intervention in an operation mode, usual for them. It is important to understand that the equipment and services provided to the worker by the employer. are the property of the owner of business. Including time "redeemed" by the employer from personnel. Therefore all results of the work executed in working time belong to the employer, and it thereof, has full authority to control them. Will be useful to register it in policy of cybersecurity.

Implementation of corporate security policy is not a single-step event, but long process in which should participate both representatives cybersecurity and IT departments, and heads of other divisions to avoid "distortions" and that execution of provisions of policy was possible in practice. A problem of security policy not to adjust any possible process in a company performance, and to create base on the basis of which the enterprise will function further, supplementing the general security policy separate, both formal, and oral, with regulations and procedures.

Technologies of privileged information loss prevention from an information system outside

Основная статья: ИБ_-_Предотвращения_утечек_информации

The directory of DLP systems and projects on TAdviser.