Risk management can be described as the ongoing process of risk identification and plan implementation to address the same. There are many assets in many cases that need to be secured, therefore, outweighing the resources available for protection. The meager resources that are available should, therefore, be applied in a manner as to capitalize the security nature at a cost effective and efficient manner (Texas, Dept. of Information Resources, 1993)
Policy framework, therefore, lays the framework for establishment of responsibility amongst the relevant stakeholders. The purpose of the policy is to ensure that risks to the company infrastructure are identified in time, analyzed accordingly and managed so that they are kept at acceptable levels.
The policy therefore will apply to all company stakeholders irrespective of their level of management or department.
Key principles in risk management
The following key principles outline the company’s approach to risk management:
i. The management of risk and control of the same translates to achievement of company’s objectives.
ii. The management through its set committee is tasked with overseeing a sound system of internal control that are in line to company’s plans
iii. The company makes it its objective to ensure protection of private and confidential data.
iv. Review of security standards is an ongoing process.
v. Review procedures cover reputational stand of the company, strategic policies, compliance to set rules and adherence to them.
vi. Regular review is done.
vii. Disaster recovery plan is recognized as a need and its importance cannot be underscored.
Access methods policies
The policies below regarding to computing facilities of the organization and their access methods should be adhered to at all times:
i. Each individual should have a private password that is unique for protection of personal computers.
ii. Passwords should not be revealed to anybody at all times, even the immediate supervisor.
iii. Change of passwords should be done regularly at random but within a span of three months or less.
iv. Data managers should implement access levels and users restricted to their specific access level.
v. Data centers should be out of bound to all unauthorized staff at all times, unless the relevant authority grants permission.
vi. Access to the building premises should be by use of access keys at all times.
vii. The ICT department in conjunction with the company management shall develop a contingency plan and a disaster recovery plan. The plans should be well known to all at all times.
Networks security policies
A secure network is the key to minimizing unauthorized access at all times (Crouhy, et al., 2006). The policies below apply to network and network resources:
i. Network should be secure at all times
ii. Review network infrastructure regularly to establish weaknesses. Develop solutions for the weaknesses witnessed and implement them.
iii. Network administrators must install firewalls on the network and apply security procedures to ensure that anything coming or going out of the intranet is approved.
iv. Secure servers in a secure room or location.
v. Encryption of sensitive information in the network as well as in the databases should be applied at all times.
vi. Encrypt access points on the network.
vii. Staff shall regularly be trained on the secure use of computational and information facilities. They shall be made aware of the possible threats and risks to the resources and how to deal with them.
The ICT officer is the lead manager in the policy implementation by coordinating it, offering guidance and interpretation of the policies. Together with top-level management as well a middle level management, the policies stipulated herein shall be adhered to the later (Crouhy, et al., 2006).
Technology changes rapidly and so does the environment and the environmental actors. There is need, therefore, for the regular review of policies as well as development of new policies to go in line with the changing.
Crouhy, M., Gilai, D. & Mark, R. (2006). The essentials of risk management. New York, NY: McGraw-Hill Professional.
Texas, Dept. of Information Resources (1993).Information Resources, Security & Risk Management: Policy, Standards, & Guidelines. Los Angles.LA: DIANE Publishing.