Goal of the Security Policy
Organization X depends on information and information systems. The goal of the security policy is to set objectives for the organization as regards the protection of its informational assets. The security policy provides the basis for the implementation of security controls that reduce risks and system vulnerabilities. By clarifying theresponsibilities of users and the measures they must adopt to protect information and systems, Organization X avoids serious losses or unauthorized disclosure. Moreover, the company's good name is partly dependant on the manner in which it protects its information and information systems. Finally, a security policy can be useful as evidence in litigations, in client contract negotiations, during acquisitionbids and for business relations in general. The management of Organization X has initiated and continues to sustain an information security effort thanks to the development of sound policies and procedures.
Security Management Framework
All policies and procedures included in this document are approved, supported and defended by the senior management of Organization X. As respect of thesecurity policy is all important to the corporation, its information and the information entrusted to it must be protected according to the critical value and sensitive nature of this information. Security measures must be taken, regardless of the storage media on which information is saved, the systems used to process information or the methods used to transfer information. Information must be protectedaccording to its security classification, without regard to the phase of the information life cycle in which it is found.
Information security is a team effort. It requires the participation and support of all members of the organization who work with information systems. Thus, each employee must comply with the requirements of the information security policy and itsattending documentation. Employees who deliberately or through negligence violate information security policies will be subject to disciplinary action or dismissal.
This policy applies to all computers, networks, applications and operating systems owned or operated by Organization X. The policy covers solely the information handled by computers and networks.
Divisions that Manage Information Security
* The Division of Information Security is responsible for establishing and maintaining information security policies, standards, directives and organizational procedures.
* The Internal Audit Division must ensure the compliance of information technologies with policies, procedures and any applicable legislation.
* Investigating systemhacking and other information security incidents is the responsibility of the Physical Security Division.
* Disciplinary action in response to violations of information security regulations is the responsibility of local managers acting jointly with the Division of Human Resources.
In order to coordinate security efforts, Organization X has divided theresponsibilities of its members into three categories.
1. User Responsibilities
* Users are required to conscientiously familiarize themselves with all information security policies, procedures, standards and applicable legislation. They must fully understand these requirements and comply with them.
2. Owner Responsibilities
* Owners ofinformational assets are generally executives, managers or delegates of Organization X who must acquire, develop and maintain operational applications (decision support systems) which support decision-making and other organizational activities.
* Each operational application must have an appointed owner.
* Owners indicate the classification that best reflects the sensitive nature, critical...