Developing An Information Assurance Policy

Overview

            Information is an essential asset to a company and exposure to dynamic threats and risks from outside or inside the company either accidentally or intentionally may leads to violation of third parties or employees’ rights, regulatory noncompliance, legal breaches, damages consumer trust and corporate image as well as causing economic and property loss (Kamo, et al., 2011). Therefore, it is imperative for any company or organization to secure information through police development and implementation. Development of information assurance policy is a continuous process targeting at preventing essential information against threats and risks that jeopardize the confidentiality, availability and integrity.

            The development of information assurance policy is intended to protect all the information in the custody of the company regardless of the method these information is documented or stored (eHealth Ontario, 2012). The policy provides sets of control measures defined by the procedures and the standards on information security. It is the responsibility of the Board Member of the company to support the strategic objective of information security and ensure that the policies are aligned with business objectives and strategies.

The development of information assurance policy is based on the latest version of ISO 27002, which focuses on the management and the assessment of risk associated with transmission, storage, processing and use of information and the systems and processes used for those purposes (Carroll, 2016). The development of information assurance policies involves the process establishing guidelines and procedures of protecting the confidentiality, authenticity, availability and integrity of the user data with specific focus on the security of information systems in physical and digital form. In this case, the Head of Information Technology Department is the custodian of Information Assets on behave of the company or organization (Hostland, et al., 2010). The policy is directly connected to company’s management of information policy, which outlines company’s commitment to effectively manage information in their possession in accordance with the Human Right Act 1998, Common law duty of confidentiality, Freedom of Information Act 2000, Data Protection Act 1998 and any other relevant regulations and laws.  

Purpose

            The purpose of this policy is to make sure that company’s information systems will safeguard the information they handle, in their possession and will serve the intended function as required when needed, under the control of authorized users or personnel. The policy will be applicable to all information held by the company whether electronic or manual, archived or current as well as all the recorded information in any form, created, received or maintained by the company (Tuyikeze & Flowerday, 2014). In addition, the policy provides the guidelines which ensures that all the information held by the company is effectively managed and held securely in accordance with regulatory, common law and statute requirements and in keeping with this policy and any other procedure, guidance and policies, thereby contributing to public confidence in the work of the Probation Board.

            As a result, this policy helps the company to put in place all the necessary and reasonable steps to comply with the existing and the future legislation covering the following areas; Records Management, Freedom of Information, Data Protection, Information Security and Information Assurance. To ensure compliances, it is important for the company to make sure that all the records in its possession are accessible, reliable, authentic and secure (Lainhart IV, 2002). In addition, the policy must support business activities and functions and must be retained only as long as they are required by law. Therefore, the policy reaffirms the purpose of the ISO/IEC 27002 (2013), by providing the standards related to the information assurances.

General objective

            The objectives of this information assurance policy are to ensure that all the information held by the company including information of the service providers, service users and employees are lawfully and fairly processed to enable company to comply with its legislatives responsibilities (Tuyikeze & Flowerday, 2014). The information held by the company must be accurate and adequate for the purpose it is intended to serve in a transparent and effective e manner in accordance with the framework that gives due regards to:

  • Confidentiality: The guidelines established by the policy must preserve and protect information assets against unauthorized disclosure.
  • Integrity: The information asset is protected against the accidental or unauthorized modification.
  • Availability: All the information held by the company must be available as and when required in order to achieve and preserve company’s business objectives. This means that the information should be retrievable easily for the company to respond to the information requested as faster as possible.
  • Security: All the information whether in electronic or physical environment against inadvertent or unauthorized erasure and loss. Therefore, the information must be marked correctly and accurately to avoid confusion.
  • Accreditation: The handling, processing, use and transmission of all the information is compliant with the existing HMG Infosec Standard. This include a detailed Risk Management and Accreditation Document Set (RMADS).
  • Business continuity:  All the information systems in the company must support the continuity of management process to avoid business interruptions especially protecting critical business processes and activities against major disasters or failures.
  • Incident reporting and response: The policy provides guidelines for recovering, managing and reporting information risk incidents.
  • Responsibility: The policy must clearly outline the obligation and responsibility of each staff member handling information on behave of the company. Although the company owns the information held in its name, each staff member has a personal responsibility for how information received or created is stored and managed.

Lastly, the policy will ensure the company preserve electronic and manual systems to facilitate effective management practices in the creation, retrieval, storage, preservation, retention and destruction of its records.

Scope

            The information assurance policy will be applicable to all information assets of the company contain in electronic and manual information system. These include:

  • All the components of the company such as the departments and divisions within the company.
  • All the information of the personnel such as contract, consultants, permanent employees and executives.
  • All the information handled or owned by the company as well as information under the stewardship or custodial responsibility of the company.
  • All the facilities and assets managed, licensed, leased or owned by the company.
  • All the information about the services provided by the company to clients and internally.
  • All the information about the services offered to the company by the private and public-sector organizations.

Therefore, it is the obligation and responsibility of the customers, suppliers and employees of the company as appropriate to fully enforce, observe and know the provision of the policy.

Policy compliance

The compliance of this information assurance policy will be from three perspectives: employees’ duty, applicability to third parties and information security policy. The policy will place a responsibility to all employees to handle the company’s information in a manner that comply and abide with the procedures, standards and policies on information assurance and they must be concern about understanding and knowing the content thereof (Kamo, et al., 2011). The information assurance policy will be communicated third parties such as supplier and customer as well as any other person interacting or doing business with the company and are required to comply with policies. The policy will incorporate appropriate clauses into the respective contracts requiring third parties to fully comply. The information assurance policy of the company will be specific since it is developed and regarded as part of the regulatory framework as defined in ISO 27002.

Related standards

This information assurance policy is developed and implemented in accordance with international standards:

  • ISO/IEC 27001:2005, Information Technology – Security Techniques – Information Security Management Systems – Requirements.
  • ISO/IEC 27002:2005, Information Technology – Security Techniques – Code of Practice for Information Security Management.

These standards held individual user responsible and accountable for any inappropriate or unauthorized access to, use of, disclosure, disposal, modification of or interfering with a crucial and sensitive information or services. This means that vendors, employees, consultant or any other staff member who violate this policy will be punish accordingly.

Definitions

  • Employees or partners: An individual with contractual relationship with the company whether permanent, on fixed terms or contract worker.
  • Information Asset: This is each and everything that is very important and hold value for the company whether individuals, systems or documents. These elements are relevant for the retrieval of information, display, disclosure, storage, issuance and production of information of value to the institution.
  • Policy: General guidance or guideline formally expressed by the management of company.
  • Standard: General provision that emerges from the information assurance policies, prohibitions, restrictions or establishing obligations as well as other expected behavior.
  • Procedure: It is the chronological sequence of events or actions joined together with the objective of performing a specific tasks or activities within the scope of information assurance control.
  • Risks: It is the likelihood of an event adversely affecting the achievement and pursuit of the objective of a company. Risks are determined by combining the probability of occurrence and the consequence of that event.
  • Threats: It is the potential source of an unwanted incident, which may result in damage to a system or process.
  • Information security event: Suspicious series of activities or activity That requires a deeper analysis from the perspective of information assurance.
  • Confidentiality: Property of the information, which determines that it may only be accessed by duly authorized individuals’ entities or processes.
  • Integrity: Property of the information which can only be eliminated, altered or added by a system or person authorized for each process, so as to protect the completeness and accuracy of information assets.
  • Availability: Property of the information that makes it timely available and usable by duly authorized persons or systems, in the format required for its processing.

Terms

Studies have shown that the use of internet and improved technology make the company vulnerable to hackers. In the recent past, some companies had their systems hacked and ransom of money was paid to the hackers to allow the company to resume their normal operations. This means that companies should put in place security at different levels to minimize the vulnerable and facilitate early detection of intrusion.

Share with your friends
Order Unique Answer Now