Information security is an essential component of computer information systems. For any information system to be said to be successful, there should be ways in which information security is achieved in the whole process. For information security programs to be successful, it is crucial to have policies in place so that the behavior of employees will be monitored. Information security programs cannot be undervalued. This paper will focus on the role of information security policy. Information security policies play a crucial role in the enhancement of security within organizations.
Information security policies are the standards and rules that have been set by the management, to ensure employees and other staff members, working in the organization, will follow the standards so that the security procedures are observed. Standards are the universal procedures that should be integrated, into business processes, to ensure that there is security in information handling. In the entire process, one aspect that should be observed is that of security policy. People have to be involved in the entire process. For effective information security programs, there is a need to ensure that there is working security policies where people are aware of security that they need to observe.
Role of employees in information security policy
Employees play a crucial role in the enactment of information security policies in any organizations. Information security policies are implemented from the top. This is evident with the enterprise information security policy which is drafted by the Chief Information Security Officer (CISO). The consultation is done with the advice of the Chief Information Officer. Information security policies cut across all areas of an organization. Employees have to observe the requirements of the policies that have been set in the organization. This is the only way in which the policy will succeed. For the policy to be successful, senior management should be in support of the policy. If the senior management will not support the policy, then the policy is bound to fail.
Employees will try to come around the policy. This is seen with the way employees will come with other ways in which they will avoid the observation of the policies that have been set in the process. This is an momentous development that should be integrated in the development process. For the information security policy to be effective there is a need to increase awareness, for the employees. Awareness will be achieved with the use of such procedures as training, and inclusion of employees in security decision making.
Most information security incidents that take place are as a result of employee accident or lack of enough attentiveness over information. Employees should be aware of the tactics that arise with the use of information that might compromise information security.
Classification system for information security
There is a need to have an effective information security classification system in an organization. This will ensure that there are different levels in which information is accessed. The different levels of information access are as a result of the different roles of employees. The different roles will help employees access the right information in the system.
There is a need to have different levels of access to the different information that is available in an organization. The levels of sensitivity of the different information procedures are an significant development for the security of information. Different employees have different needs out of some given information. The classification system that has been implemented will help understand the need for information security for the different users. Security policies and standards will help to handle and classify information, basing on the level of sensitivity and the security levels that are required for that information.