Introduction

Designing a sustainable information security policy is one of the most important issues facing
organizations today. It should not only be the first step in an organization's information security
policy program but a continuing process to ensure the policy should be maintained of high
quality, it is clear, comprehensive and appropriate to the organization's specific business
objectives, strategic goals and culture needs. This is a particularly salient issue in organizations
that operate in numerous political, cultural, legal, geographic and economic environments and,
by necessity, sometimes must have an information security policy that employees can follow and
actually use. Information security represents a growing concern for organizations. As
organizations are relying and becoming more dependent on information systems for staying
competitive, gain strategic advantage and operations, the issue of effective information security
policy also becomes important and the necessary foundation for organizational information
security.

Challenges in information security policy

In an organization, some unique challenges can arise in designing an information security policy,
such as policy differences arising through the various threats, risk acceptance and tolerance
levels among business units; internal and external requirements at a country, local and national
level; human factors; and cultural differences. In some cases, an organization may require a
region-specific information security policy that may be more restrictive than a global information
security policy. However, the reason why an information security policy has to be enforced on an
organization is because the information security policy requires an effort from them. Some of the
problems facing organizations are of employees not following the information security policy,
which reflects the social nature of human beings an information security policy challenges
employees to change the way they think about their own responsibility for protecting the
organization's valuable information. Attempting to impose information security policy on
unwilling employees results in resistance both because stricter information security procedures
make jobs more difficult and because people do not like to be told what to do.
Computer security policy
Sound information security policy should protect the information and systems, as well as the
individual employees and the organization as a whole from a wide variety of threats It also
should serve as a prominent statement to the outside world about the organization's commitment
to information security. An information security policy is often considered to be a "living
document," meaning that the document is never finished but is continuously updated as
technology, regulations and business requirements change. The information from systematic
monitoring should serve as a critical input to evaluation, formulation, implementation and design
2

of the information security policy. The information security policy should be seen not only as an
artifact document of the organization to enforce best information security practices but also
should identify details of what is acceptable or unacceptable and what is reasonable behavior
from the employees in order to ensure sound security of information.
Information security policy should be sustainable. Information security covers people and
process issues as well as technology. The design of information security policy in an organization
should be integrated into a process that involves employee usability testing and input from
various regions, regulations, industry standards and business units. An information security
policy is the necessary foundation for a sound organizational information security.
Information security policy should be able to enhance business operations by reducing risk,
ensuring protection of organizational critical information assets and decreasing information
system's security management costs as well as to improve information system's operations while
also supporting the demands of internal and external compliance. Since many of these policies
require human involvement, for example employee and customer actions, the goals should be
measured and checked if they are met only if such human activities can be influenced and
monitored and if positive outcomes have incentives while negative actions are sanctioned.An
effective information security policy should be based on a usability standard that can be achieved
during the design techniques appropriate to implement sustainable information security policy.
Designing of information security policy
The successful design of information security policy is critical in today's environment of rapid
change and challenges in addressing information security policy compliance and effectiveness in

organizations. The information security policy is the foundation on which a sound information
security is built. As with any foundation, it must be well designed, and well constructed; it can
then be trusted to support the organization's business objectives and goals effectively. It is
essential that effective information security policy practices be in place in organizations to ensure
the success of information security policy. Effective information security policy requires that
users understand and follow the information security mission as described in the organization's
information security policy.
Flexibility and usability are essential elements of an information security policy life cycle,
particularly of the design process of information security policy formulation and implementation.
An information security policy needs to be sustainable and not rigid. While the importance of the
information security policy in ensuring the security of information is acknowledged widely, to
date, there has been little empirical analysis of its design, impact or effectiveness in this role.
Designing sustainable information security policy is critical to protecting the organization's
information systems and assets. The consequences of violating such as information security
policy might be extensive and expensive.
The organization's information security policy should be written with a clear understanding of
the expected outcome and the need to be flexible and usable. The information security policy
should incorporate clear definitions and user responsibilities (Gaunt 1998). It should also aim to
influence behavior and turn employees into participants in the organization's efforts to secure its
information assets.
Information security policy plays an important role in preventing, detecting and responding to
security threats and breaches. Organizations should have security controls to protect their
4

information. One of the most important controls, according to Hone and Eloff (2002), is the
information security policy. The information security policy is likely to be ineffective if it is not
written well, understood, followed and accepted by all employees.
Passwords and User Ids
They should not be shared with each other or even this confidential information should not be
disclosed to the outsiders or to anyone. When entering the login id or password it must be taken
care that no one will be able to see the information. Also, the passwords should be the
alphanumeric. Other best options for the advisor when entering the passwords should use the
virtual keyboards. With virtual keyboards it is always beneficial that the information shared is
secure. A protocol is a well-defined specification that allows computers to communicate across a
network. In a way, protocols define the "grammar" that computers can use to talk to each other.
Secured protocols should be used for transferring the data Secured Hyper Text Transfer Protocol
(SHTTP). Apart from this, the cryptography techniques should be used for transferring the
confidential information like customer information and payment information. Public-key and
private-key are the methods of cryptography techniques, which are used to share the information
from one node to other node.
Transport Layer Security (TLS)
It is cryptographic protocol, which is used for security of web connections. It has an
authentication mechanism, based on X.509 system and is a phase, where using the public-key
cryptography forms symmetric encryption key.
Remote File Inclusion (RFI)
This is a type of vulnerability, which is found in the websites. It allows the attackers to include
the remote file, via scripts on the web server. The vulnerabilities arise due to usage of the user5

supplied input without the proper validation. This also led to something outputting the contents
of file, but depending on its severity, to list the few it can lead to following: execution of code on
the web server and execution of code on the client-side like the JavaScript which lead to other
attacks like the cross site scripting (XSS).
Security policy to mitigate computer risk and threats
The threats or risks some of these important items are subject to are listed below and a security
policy to mitigate that threat are also listed:
UPS
The threat in UPS is power failure due to insufficient supply or internal damage. UPS stands for
uninterruptable power supply. A security policy to mitigate that threat is always prefer to use
beeping UPS which may alert during low battery.
Hard Disk
The risk is that hard disk crashes and all data store on it get lost. A security policy to mitigate that
threat is store important data on another disk or backup to system servers to avoid loss of data.
Equipment: Equipment such as web server also subject to threats. The vulnerability associated
with this is that there are no mark ups available and will need an external toll for such
manipulations. A security policy to mitigate that threat is install antivirus software.
Sales data
Threat is gaining unauthorized access to files by hackers or any employee of company. The hacker
may access knowledge, change files to commit fraud or theft, or destroy information to injure the
organization. A security policy to mitigate that threat is to protect the files by user id and
password authentication and do not give access to the files to all users.
Network router

The risk is that computers on network are infected with virus through router. A security policy to
mitigate that threat is always set key or password so that it does not give access to wrong user.
Printer
Threat is that due to virus in system, printer files get corrupted. A security policy to mitigate this
threat is to install antivirus software and scan system or network to avoid the damage.
Operating system
The threat is that user cannot login into windows or operating system due to malware or viruses.
A security policy to mitigate that threat is install antivirus software and scans system and do not
download infected file.
Cables
The threat is if cables are connected improperly, it may cause loss of network connectivity. A
security policy to mitigate this threat is to connect the cables properly and do regular check ups.
Internet
The threat is that user computer may be infected by downloading the virus or malware file from
Internet. A security policy to mitigate this threat is to install antivirus software and scan system
or network to avoid the damage.
E-mail
The threat is that user system may be infected due to download of malware email attachment. A
security policy to mitigate that threat is that can the email file before download on your system.
The risks or the vulnerabilities, which has defined above, are very critical factors, which harms
to the system. To avoid the risks the above security policies should be used. Securities policies
go beyond simple idea of keep the bad guys out. A security policy is a living document that
allows an organization and its management team to draw very clear and understandable

objectives, goals, rules and formal procedures that help to define the overall security posture and
architecture for said organization.Data transferred across the network should be made secured,
because while transferring the data intruders can harm the data. To avoid such anomalies the
secured protocols should be used on the network and at end-to-end connections.
Security policy development
Development of these security policies involves the development of the following:
1.) Program policies: This addresses the overall IT security goals and it should be applied to
all the IT resources within an institution.
2.) System-specific policies: This addresses the IT security issues and the goals of particular
system. Big facilities have multiple sets of the system-specific policies, which address all
the levels of the security from very general to the particular.
3.) Issue-specific polices: This will address the particular IT security issues like Internet
access, the installation of the illegal or unlicensed software or equipment.
While dealing with network security and information security audit, there are many small
but critical things, which plays very significant role and need to handle very carefully. Security
audits do not take place in a vacuum; they are part of the on-going process of defining and
maintaining effective security policies. Discussing the implementation area first the given
security policy has a good level of implementation that can be achieved in order to maintain the
integrity of the system. The given security policy is also good in the area of management which
is enabled to maintain the standard for the system. Discussing the given policy in terms of
controlled access, the parameters authorization process is missing in order to continue protecting
the system. In the case of Internet security, the given policy does not support any efficient
method to provide security from harms like fishing.

After the last security audit, it is necessary to trace all the changes and modifications that
have been brought to the current plans, policies, as well as performance. This is necessary
because each and every change play a very important role while offering security. Reviewing of
all firewall logs are necessary, because the firewall acts as a main gateway and security wall for
all the threats. Any major changes in the logs that are unexpected could result in strange outputs
that need to be traced first. While dealing with network security and information security audit,
there are many cases and policies for the firewall, which need to be implemented in order to
provide a good security feature. This is because with the help of firewall log analysis many
important components will allow it to be traced to generate security, traffic, and bandwidth
reports that are very helpful in analysis. There are many firewall log policies, which should be
audited in order to trace the security checkpoints. The information need for these rather polices
may vary from policy to policy.

Conclusion
This assignment has assessed security plans and security policies. The assignment used an
example of a security plan and a security policy to show a preliminary outline of the information
that should be contained within both of these documents. Within the security plan and policy, an
assessment had to make as to what essential information was missing, incomplete, inaccurate, or
ill advised. The policy and plan was to be assessed for a small home network or small business of
about twenty people and to identify and mitigate ten threats that a business could face. It is
assessed that there are sufficient changes to the policy and plan that needs to be completed, for
both of them to be secure and effective. The process of design and development of information
security policy plays an important role in the life cycle of an information security policy and
affects how people feel about the information security policy and whether they see rules as a
needless imposition of power or an expression of their own values. Unfortunately, an information
security policy conflicts with most people's view of reality: for example, an employee showing
sensitive information to someone who does not have the appropriate level of authorization to
view such information because they both work on the same project team. However, if users fail
to comply with the rules, an information security policy can help deter abuse Although having an
information security policy in an organization is essential, it is not enough to ensure an
employee's compliance with it.

10

References
Ifinedo, P. (2012). Understanding information systems security policy compliance: An
integration of the theory of planned behavior and the protection motivation theory.
Computers & Security, 31(1), 83-95.
Peltier, T. R. (2013). Information security fundamentals. CRC Press.
Pike, G. (2013). U.S. Patent No. 8,510,827. Washington, DC: U.S. Patent and Trademark Office.
Schell, R. R. (2013). Computer Security. Air & Space Power Journal, 27(1), 158.
Vacca, J. R. (2012). Computer and information security handbook. Newnes.

11