top of page

           IT policy is the rule and guideline that describes how organization handles the certain situation and what is the solution and security approached. Information Technology policy should fulfill many information technology purposes such as protecting people and information, setting rules for expected behavior of employees, authorize security personal monitor, define and authorize the consequences of violation, and help minimize risk (SANS Institute ,2007).

 

 

The best practices for IT policies are (ACUPA, 2014):

 

  • Be Proactive in Issue Identification: The more you are able to identify issues that will affect your institution, the less time will be spent in emergency mode. This is especially true for important policies that are enterprise wide in scope, involve budget changes or training efforts.

  • Identify an owner for each policy: A specific individual needs to have responsibility for the content and accuracy of information within the policy.

 

  • ​Determine the best policy path

  • Assemble a Team to Develop Policy: To develop accurate and complete documents, consider the expertise needed to develop a well-informed policy.

  • Agree on common definition and terms: The definition and terms should be readily available to those preparing polices.

  • Use a common format

  • Obtain Approval at Owner and Senior Levels

  • Plan Communication, Publicity, and Education

  • Put Information Online and Accessible From One Location : Having information online is the most effective way to make the information available.

  • Develop a Plan for Active Maintenance and Review

  • Encourage Users to Provide Feedback

  • Archive Changes and Date New Releases with an “Effective Date”

  • Measure Outcomes by Monitoring or Testing

          Information security policies provide a framework for best practice that can befollowed by the employee. It help to ensure risk is minimized and that anysecurity incidents are effectively responded to (SANS, 2007).

 

 

SANS website provide an template for IT policy such as:

 

  •  Acquisition Assessment Policy

  •  Bluetooth Device Security Policy

  •  Dial-in Access Policy

  •  Ethics Policy

  •  Information security Policy

  •  Internal Lab Security Policy

  •  Personal Communication Devices and Voicemail Policy

  •  Risk Assessment Policy

  •  Technology Equipment Disposal Policy

  •  Web Application Security Assessment Policy

IT Policy Best Practice

Six steps of Enterprise risk management (Slater, 2010)

 

  • Create a working group that includes a representative from every department that plays any role in internal investigations. This might include HR, corporate security, information security, facilities, finance and legal.

  • Brainstorm events and scenarios that could create risk for the company in an internal investigation. Such events might include information leaks in various departments or a potentially violent suspect.

 

  • Rank the risks by likelihood and impact. Absolute precision is not necessary here, although this step may provide the impetus to gather new metrics, both within your business and from the outside world for benchmarking purposes.

 

  • List existing controls. Look for redundancy across departments. Brainstorm new ones to address these risks. Rank new controls based on cost, difficulty, and effectiveness—especially noting controls that can reduce likelihood and impact across multiple types of event.

 

  • Select the appropriate point person responsible for implementing (or championing) each high-priority control.

 

  • Establish a way to measure the effect of each new control and a way to communicate that measurement within and outside of your working group. Keep the end in mind: Enable business objectives. Keep it simple. Show progress. Make internal investigations more effective and less risky.

© 2014 by Ditsakarn Punyapab

FOLLOW US:

  • w-facebook
  • Twitter Clean
bottom of page