The information technology has transformed in the way we do the business and it plays a major role in every branch of economy like from financing, transporting, distributing, and in every field related with the economy. Economical securities are not provided in a society where information security is not there.
It is becoming unmitigated because of the hackers and cyber criminals who are the threat for worldwide information and physical infrastructures.
All the technologies which support organazination procedures and models, information systems are diversified. Solutions developed and progressed mutually by the organization and the public can help in reducing the threat and it assures that the system will be secured against some new cyber criminals.
The threat will increase substantially, as more perceptive and confidential information is made public or readily available to the many users. Thus making it credible for the insiders to engage or embark on criminal activity. This includes terrorism and economic intelligence. It also offers strong tools for shielding against and responding to attacks, scrutinizing them and mitigating their damage.
The lager spectrum of world's information infrastructure is being operated by private organizations. The job of the private sector along with public sector in partnership is to defend the global cyber assets.
World wide information will to subject to continuous sophisticated threats and to an unfavorable catastrophic crash because there is no awareness to a cyber security.
Security is the protection of information, systems and services against disasters, inaccuracies and manipulation in a manner that the likelihood and impact of security lapses is minimized.
A security policy is a precautionary way for safeguarding considerable amount of company data . A consistent security measure is communicated to users, management and technical staff.
- Used to establish the comparative security of active systems.
- Essential for defining platforms to peripheral partners.
- Mandatory legal requirements as regards to security of customer and employee data.
- A prerequisite to quality control
Security policies should be an organization's immediate line of protection. It is a fine balance that needs to be monitored closely time and again. Privacy is all about the amount of control and vigilance an organization can exercise on itself. Security is concerned with unauthorized access to this information in terms of vulnerability. The reason for today's altered concern in the security policy is the sustained expansion beyond the conventional boundaries of an organization with partners and supplier. The intention of information security is to have measures in place which abolish or reduce major threats to an acceptable and sufficiently low level. Companies should be able to get connected globally with the consumers, partners and also with the employees of the organization.
Network predators regularly eye on and pilfer corporate assets and intellectual property thus causing service breaks and system failures, tarnish corporate brands, and alarm customers.
IT security comprises of:
Integrity: The business has to be in control of any alteration to objects (information and processes).
Availability: The necessity to have business objects (information and services) readily available when required.
Legal conformity: The composed, processed, used, passed on or destroyed information/data has to be dealt in conjunction with legislation of the respective countries.
Individuals have to be alert in maintaining the security processes put forth out by organizations. The organizations have to impart and execute security measures; and business and government must use different levels of security technology to avoid and minimize threats. All three are necessary to diminish risk involved.
Key legislative points or issues that is appropriate to the security policy of an organization.
Information security policies are surrounded by federal or state laws which are to be followed by every organization, failure to any would result in a legal action against the organization. Though IS laws might vary from country to country but it is important to remember that IS policies always operates within a legal frame work.
For example in U.K.
- Data Protection Act 1998 and the
- Computer Misuse Act 1990.
In the United Arab Emirates, the federal law is defined to combating information technologies related crimes. e.g.
- Federal Law No. 2 of 2006 on combating information technology crimes;
- Law No. 2 of 2002 on e-commerce and e-transactions (Dubai);
Thus it becomes mandatory for any organization to comply with applicable laws and policies
Information security policy with respect to legal issues can be divided into different sections.
International Cyber Crime Treaty
Goal of ICCT is to facilitate cross-border computer crime investigation, currently 38 nations have participated in it, and USA has not ratified it yet.
Obligates participants to outlaw computer intrusion, child pornography, commercial copyright infringement, online fraud
Participants must pass laws to support search & seizure of email and computer records, perform internet surveillance, and make ISPs preserve logs for investigation
Mutual assistance provision to share data
Opposition to ICCT: open to countries with poor human rights records; definition of a “crime”
Federal Laws Related To Information Security.
These are defined at the federal level.
U.A.E Federal laws with respect to information security are
- Federal Law No. 2 of 2006 on combating information technology crimes;
- Law No. 2 of 2002 on e-commerce and e-transactions (Dubai);
- Free Zone Law of Technology, E-Commerce and Information of 2000 (Dubai);
- Customs Law of 1998, including articles 4, 24 and 118 on the validity of documents and
Information received electronically;
- Law No. 1 of 2007, issued by the Dubai International Financial Centre (DIFC), and Data
- Protection Law 2001, which is applicable in the jurisdiction of DIFC;
- Copyright and Authorship Protection Law No. 7 of 2002.
As per the Telecom regulatory authority of the UAE, any material in electronic form should comply with the social, ethical, cultural and religious laws of the countries and therefore all the organizations working within the domains of U.A.E. should comply with these policies in the flowing areas;
- Privacy and Civil Liberties
- E-Mail Privacy
- Social and ethical.
- Cultural and religious.
- Sexually-Explicit Material and Pornography
- Inappropriate Business Practices
- Intellectual Property and Copyright
State Laws related to Information Security.
At state level, In U.A.E. there is not laws defined at the state level with respect to the information security, reason probably being it's a small country and such decisions are taken at the top level by the Federal government.
Organization wide policies related to Information Security.
Computer use policy which will be discussed in next section.
The goal of the organization:
- Information has to be protected and should not be subject to illegal access or misuse
- Privacy of information must be safeguarded
- Reliability of information should be preserved
- The service delivery is done by preserving the accessibility of the system.
- Continuity planning processes in business has to be maintained effectively and efficiently
- Physical, logical, environmental and communications security should be sustained
- If there is an encroachment of this Policy, the possibility being penalized or undergoing criminal prosecution cannot be ruled out.
- Information should be done away with in a suitable manner when no longer to use.
Let us take a look at a banking organization, which is generally used by the people and the for the business purposes. The organization works by using diverse electronic information systems, hardware, software and data, paper-based materials, electronic copy devices. The organizations mainframe network are used both directly and indirectly.
This sector deals with in transactions, deposits, and the properties of different firms. Since it is an organization which should move in accordance to the people assets security, it is of prime importance to the organization to follow the information security policy.
As per the policy, an organization's staff and other individuals are entitled to use organization facilities, of the principles governing the asset, use and discarding of information.
1. Empowered users of information systems
All users of organization information systems should officially permitted with a scheduled time as a staff member, or by any other process specifically authorized by the CEO. The authorized users will be in ownership of a unique user identity. In any circumstances, identity of the user should not be revealed.
2. Suitable use of information systems
Use of the organization's information system by official users will be legal , sincere and upright and will have due considered to the rights of the people.
3. Information System Owners
Organization Directors need to ensure that:
- Systems are sufficiently and appropriately protected from illegal access.
- Systems are protected against theft and break to a cost effective level
- Sufficient steps are taken to ensure that the accessibility to information system, adequate and apt (Business Continuity).
- Electronic data should improve the in the result of failure of the major source. That is failure or loss of a computer system.
- The onus lies on the organization owners to support information and be able to restore data to a level proportionate to its reliability and criticality.
- Information is preserved with lot of accuracy.
- Any electronic access logs retained only for a valid period to make certain an agreement with information protection acts.
- Any third party delegated with the responsibility of maintaining the organization data should understand its responsibilities in totality and with reverence in order to maintain security
4. Personal Information
Users who are authorized of information systems are usually not given rights of privacy to use an organization's information systems. Similarly authorized officers of the organization may or scrutinize personal data available information system in any organization. The organization should take legal action so as to certify that, illegal persons should not use the information system.
Organizations may suffer from huge financial losses and information security can become a vital concern for top managers.
Organizations respond to the infringed incident by making extra security speculation to avert any outlook breaches. This will project the way to either help decrease the negative status of the firm caused by the breach or even have affirmative long-term economic impact on the concerned organization.
As the instant passes, organizations forget about what happened previously and how the impact of the breach on a financial act had an effect in the long-term.
As more organizations move towards providing greater online access for their customers, professional criminals are successfully using phishing techniques to pilfer personal finances and conduct identity theft at a global level. The popularity which banking services have won with customers due the speed, expediency and accessibility offered may raise in the near future
However, the major topic of concern must be given attention. The system operators should be attentive and cautious in providing process guidelines. Other problems of fund transfer which are issued by electronic means such as verification of payment instructions is required to be addressed
Hence, for the improved security verification is better in order to make banking with higher security in the years to come. It needs to be recognized in a manner that technological expense initiatives will have to be to be undertaken only after careful consideration of the practicality and feasibility of technology along with its other associated applications.
Organizations require the security plan, process to implement information security in controlled manner. The choice of policies required by the organization should be sought by following the process of analyzing risks that consists of security and vulnerability assessments.
The assessment results, with a proper plan and procedure must decide which plans are needed for an industry. This can be done by using software like “Symantec Enterprise Security Manager” which supports in measuring the corporate policy compliance. Additional services can warrant that the business plan will be updated and will be put in practice accurately and efficiently.
A corporate security policy is absolutely essential. Hackers, crackers, bugs, insecure operating systems, along with continual business evolution, will always be present. As a result, new security threats and loopholes will constantly surface. The current IT security solutions have to strive for a continuous and sustained improvement to remain effective and provide business value again in future.
Information Security Policy World. The Information Security Policies / Computer Security Policies Directory. 2001, viewed on 8 Febuary, 2010 http://www.information-security-policies-and-standards.com/
IT Security Policies & Network Group. IT Security Policies, Network Security Policies & Effective Delivery. 2001. http://www.network-and-it-security-policies.com/
ISO 17799 Information Security Group. The ISO 17799 Directory. 2002, viewed on 8 Febuary, 2010 http://www.iso-17799.com/index.htm
RUsecure Information Security. RUsecure Information Security Policies. 2002, viewed on 8 Febuary, 2010 http://www.information-security-policies.com/
Security Risk associates. Security Policies & Baseline Standards: Effective Implementation. 2001, viewed on 8 Febuary, 2010 http://www.security.kirion.net/securitypolicy/
The SANS Institute. The SANS Security Policy Project. 2001, viewed on 8 Febuary, 2010 http://www.sans.org/newlook/resources/policies/policies.htm - template