This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
Information security is playing a vital role in todays fast moving business environment. A security policy is the basic fundamentals on which an effective and secured security program can be developed. The security policy is the primary way in which management`s expectations for security are transformed into achievable goals. It should be noted that there is no single method for developing security policies.
There are many factors to be considered when developing security factors, including customer type, business type and company size. This essay describes about the security policy which has been developed to protect all the system with in supermarket.
The objective of this essay is
 To provide the importance of security policies
 To describe the basic characteristics of security policies
Developing security policies:
The principles of security are to define the security policies in which policies can be further defined. These principles define the specific type and nature of security policies which is applicable to the organizations. Furthermore the organizations should evaluate and review these principles so that the management`s expectations and business requirements can be stratified. The main goals of security principles are
 To ensure the availability - information shall be available and delivered when it is required
 To provide assurance for the confidentiality - accessing data with authorized user
 To provide integrity - information shall be complete and accurate
 To protect the data from unauthorized use
 To ensure the confidentiality of customer`s and processed data and prevent from unauthorized use
 To prevent unauthorized and undetected modification, replacing, insertion and deleting of data
Security policy purpose:
The security policy is to create awareness among users, staff and managers to protect various assets like customers, hardware and software, data's. The policy should clearly specify the mechanisms through the basic requirements can be achieved. The other purpose of this policy is to allow the changes in development of operational procedures, access control, system, network and many others. The other purposes of these policies are
 It should protect customer and information
 It should have authorized security user to monitor, probe and investigate
 It should define and authorize the consequences of violation
 To help minimize the risk
 To define the company consensus baseline stance on security
Definition of security policy:
A security policy is a formal set of rules through which users are given access to an organization`s technology, system and information assets.  The security policy should be easily understandable along with protection. The characteristic of security policies are
 The policies should identify the areas of responsibility for all the users
 The policy should be documented, distributed and communicated
 The policy should be enforceable with security tools
 The policy should be implementable through system administration procedures
 The policy should be flexible in order to be viable for long term
Policy management and implementation:
The policy must be disseminated to all the appropriate users and ensuring that policy doesn't become obsolete. The policy should be reviewed regularly so that changes in operating environment can be
added into the policy. After establishing the policy can be implemented in IT systems.
Security policy for super markets:
Purpose of security policy:
The purpose of the policy is to protect the supermarket information assets from all kind of threats which may be internal, external, deliberate or accidental.
The objectives of supermarket information security policies are to preserve
 Confidentiality - only authorized users are allowed to access the data
 Integrity- all the information should be accurate and systems and networks should work according to specification
 Availability- all the information should be available and should be required at appropriate period
The policy aims to implement and maintain the security standards and confidentiality of information held by supermarkets by
 Ensuring that all the employees of supermarkets are aware of legislation as described in this policy
 Ensuring all the employees of supermarket understand their own responsibilities
 Introducing a consistent approach to security
 Creating a awareness with employees for information security
 Protecting information assets
This policy is applicable to all information available, systems, networks, applications, locations and users who are employed at supermarkets held in both manual and electronic form.
The policy is applicable to all the employees of the super market, whether the employee may be permanent, temporary or contract. The policy is also applicable to all locations from which the supermarket systems are accessed (may be supplier).
 The employees of supermarket are responsible for use or misuse of confidential information
 The employees should not copy, delete, reuse, review except the authorized person
 The employees should take a appropriate measures to protect information
 The employee should safe guard all the mechanism which allows to access confidential information
 The employee should take additional responsibility in reporting to the supervisor if any unauthorized user is handling information
The general manager`s are responsible for information security in supermarkets. But on day to day basis the line manager`s are responsible for managing and handling the policy procedures. They are
also responsible for ensuring the entire workers including temporary and contract workers should be aware of
 The policies is applicable to all the employee in the supermarket
 Their personal responsibilities regarding information security
 To access advice on information security
 Make sure that failure in following policy will results in disciplinary action
The line managers are also responsible for their physical environments where the information is processed. All the system managers should ensure that all the information which are used or handled should be maintained in high standards.
The supermarket is grateful to withstand by all relevant union legislation. The requirements to act with this legislation shall be degenerate to employees of the supermarket, who is responsible for handling the information in any cause of breaching the information security. The supermarket shall comply with the following legislation
 The data protection act
 The data protection order
 The copyright, designs and patents act
 The computer misuse act
 The health and safety at work act
 Human rights act
 Freedom of information act
 Health and social care act
 Regulation of investigatory powers act
Policy frame work:
Management of security:
At board level the responsibility for information security will be the general managers. At stores the supermarket security office shall be responsible for implementation, monitoring, documentation, and communication of security requirements for the supermarket.
Information security awareness training:
During the staff induction period the awareness of security training should be included and also frequent awareness programme should be established so that all the employees of supermarket is educate with necessary update.
Contacts of employment:
The information security expectations of employees should be included within their department. During the recruitment stage staff security should be addressed and all contracts of employees should contain a confidentiality clause.
Control of assets- each IT asset should have a security person who is responsible for the information security Access control- only authorized person is allowed to access the information which contains stores data User access controls- access to certain information will be restricted so that only authorized will have access to that particular information like customer credit card details Computer access control- access to computer facilities in the super store will be restricted so that only authorized users are allowed to use the facilities Application access control- to access the data or source libraries should be controlled and restricted so that only authorized users like system or database administrator can access the data for business purpose.
In order to prevent or minimize the loss or damage to all assets, the equipment should be physically protected from threats and environment hazards. A standard set of procedures should be followed in managing computers and networks.
Information risk assessment:
The main principle of risk assessment is to identify the security risks in terms of their valued asset. Ifvthe value of the risk is identified then it is easy to manage the information security risk. The riskvshould be recorded in the risk register so that it can be reviewed regularly. These reviews can help tovidentify the areas that are under high risk, so that prevention plans can be implemented in that area.
Information security events and weakness:
All the information security events and suspected events should be reported to the supermarketvsecurity officer so that all the events can be investigated to avoid cause and impacts on supermarkets.
Classification of sensitive information:
The supermarket shall implement information classification control to handle the information which isvshared with external bodies like suppliers or customers.vThe classification super market Confidential- shall be used for employee records, the employeevinformation can be passed to employee working in the supermarket (like passing the employee detailsvto filing team). The employee details should not bevleft unnoticed so that unauthorized users may gainvaccess to those details. The employee details should be sent with appropriate packing so that no onevcan access the information except the authorized users. The documents marked supermarketvconfidential should kept in a safe place so that unauthorized users cannot view the details.vThe classification of supermarket restricted- it can be used to view all the sensitive information such as financial details. It can also cover information which is likely to
 Affect the reputation of the supermarket
 Cause distress to the individuals
 Cause financial loss or loss of earning
 Leads to commit crime or other illegal activity
The supermarket restricted document should be maintained in a secure area, so that it can prevent from unauthorized users.
Protection from malicious software:
The supermarket shall use antivirus software to protect from malicious software. The users should not install any software in the system without authorization from the system administrator. The removable disk which contains software or data from external source should require an authorization from the system administrator to verify whether the disk is affected by virus. The users breaching these requirements can be accused for disciplinary action.
Monitoring system access:
The system should be maintained on regular basis. The regulation of investigatory power act allows to monitor and record the employee`s communication (including telephone) for the following reasons:
 To investigate unauthorized use of the system
 To prevent or detect crime
 To ensure the effective operation of the system
 For the interest of national security
Accreditation of information systems:
The supermarket shall ensure that all new information systems should be approved by system administrator. The modifications and changes to the systems or application shall be reviewed and approved by the system administrator. The supermarkets shall ensure that all the information products are licensed and approved by the system administrator/ safety officer.
Business continuity and disaster recovery plans:
The supermarket shall ensure that business impact assessment, business continuity and disaster recovery plans are produced for all the information including systems and networks.
The security office is responsible to update the information security status of the supermarket by giving a detailed reports and presentations.
This policy will be audited by the supermarket approved auditor.
For more information and advice on this policy the users can obtained from the supermarket organisations.
Policy for extra company:
The main objective of this policy is to enable the efficient flow of information without integrity and confidentiality.
Ethical trading standards:
The supermarket is committed to ensure good labour standards in its supply chain. The supermarket which brings retailers, suppliers and trade union together to agree and deliver acceptable common standards for workers and stats that
 Employment is freely selected
 Working conditions are safe, secure and hygienic
 No child labour is used
 The minimum wages are paid to employee
 The working hours doesn`t exceed their limit
 Job secure is provided to all permanent employees
 No harsh or discrimination practice is allowed
Sharing information with extra company:
The supermarket works with extra organisations which all have an important role in delivering the products such as grocers', fresh fruits, frozen products. Super market also receives request for personal data form
 The police
 Insurance companies
In this case the supermarket will not release information without the consent of the individual concerned.
The supermarket will engage a third party specialist to review network security since there is a data flow between two organisations.
The employees of supermarket should aware of the importance of verifying the credentials of all callers who are requesting sensitive information.
The system users are responsible for checking virus before opening the email. The email should be used according to the system administrator conditions.
The super market shall ensure that fax communications are protected so that fax containing sensitive information is received in secured manner.
The super market will ensure that all the employees are advised to respect the privacy of employees.
Intra company policy:
The supermarket realizes that disaster may occur despite security measures and therefore the supermarkets require disaster recovery plans. The main problem with in the store will be loss of key systems and passwords.
The planning process includes-
 Identifying critical computer systems and user areas
 User awareness in identifying disaster scenario
 Identifying vulnerability based risks
Planning frame work:
The disaster plans includes
 Loss of key user area within the stores
 Loss of key operational area
 Loss of key part of a computer network
 Loss of a key staff
The disaster recovery plans includes
 Emergency procedures covers immediate actions to be taken during the incident
 Testing procedures describing about how the disaster recovery plan will be tested
 Producing evidence of regular and adequate testing of disaster recovery plans
In conclusion this paper explores the process of building and implementing a successful information security policy for super markets. A security policy establishes the expectations of the customer or user including their requirements for information. The security policy acts as a bridge between the customer expectations and stated requirements that can be applied to develop an information system. The security within any organisations starts with building a security policy. The security policy is the foundation on which effective security can be built; it must be well designed and well constructed.
 J Weise, C Marin (2001), developing a security policy, Sun Microsystems, USA
 A Kinglake (2003), Information security policy, City University London, UK
 No author (2008), Information security policy, Princeton University
 M Granger, J Little (2003), classroom discussions: policies and responsibilities of internet service providers, George Washington university, US
 A Lee, J Boyer (2006), Defeasible security policy composition for web services, University of Illinois, Urbana