IT Policy

Definition

IT Policy is guidelines within a company to correctly use IT tools and resources in order to support company's goals and missions in the best possible way. Different companies can have different IT policies depending on their own use and access that they have into their systems.

Concepts and Methods

Concept: Security Risk - is how an organization protect and secure its information, business, and so on from operational risks (ControlRisks, 2013). There is much possibility that an organization's assets that are insufficiently safeguarded against threats is very high. The protection shortfall against loss, damage or compromise is known as risk. If decision makers are aware of the risk, this issue is compounded because of them who may be unaware of all the actions available to them to mitigate risk. To prove this, it's only needed to look at the high degree of breaches even if security tools and practices are more prevalent than ever. There are two policy models that are widely used today; risk-based and rule-based (Discini, 2006). Traditionally, rule-based policies were developed to control computing assets at a time when regulatory compliance and security risk weren't even merit a passing thought. On the other hand, the goal of risk-based policies is not to provide remedies for every security breach or gap, but to delineate a comprehensive, systematic approach to risk mitigation and management.

Method: Security Policy - is used by an organization to state how its members should behave (Walt, 2001). Security policy is one of the critical elements of IT security. It identifies the rules and procedures that all persons who have an access to computer resources must adhere to ensure the confidentiality, integrity, and availability of data and resources of the organization. Moreover, security policy puts into writing an organization’s security posture, describes and assigns functions and responsibilities, grants authority to security professionals, and identifies the incident response processes and procedures.

The security-related decision’s the company makes, or fails to make largely determine how secure or insecure the company's network is, how much functionality it offers, and how easy it is to use. However, the company can't make good decisions about security without first determining what the company's security objectives are. The company therefore can make effective use of any collection of security tools.

Tools and Best Practices

A toolkit for IT Policy is Information Security Policy written by DISP (2007). It consists of a series of documentation in order for the organization to achieve compliance based on required standards. Mainly the issues was concerned over information security policy. The documentation that is most useful for IT Policy is an outline for developing a comprehensive security policy. A breakdown of relevant security standards are described and can be easily adapted to create a new security policy.

Major areas are as the following: 

• Organization of security
• Asset management
• Human resources
• Physical/Environmental security
• Communications
• Access control
• Compliance
• Business continuity planning
• Incident management
• Systems acquisition 
• Development 
• Maintenance 

Moreover, each of the areas has its own documentation further breaking it down. Information Security Policy is efficient at integrating and reworking changes to policy without having to change the entire security policy unless it is required.

My Approach

IT Policy creates the groundwork to ensure a company is not unnecessarily wasting time with the company's assets. It seeks to establish proven methods and best practices to carry specific business processes in a company. In my approach to creating a value through IT Policy, it is important that policy is dictated from the top down. If a company has tier-1 security personnel dictating policy, how can they be sure that it is in the best benefit of the company. The tier-1 security employees have limited knowledge and experience with overall organizational direction and policy. They therefore should not be determining policy.

In addition, InstantSecuirtyPolicy.com (2013) described the idea that “no single policy or security strategy will work for every organization.” It is necessary to specify policy to how an organization operates. Moreover, this doesn't necessitate a long policy, more so an efficient one. This brings me to another approach in terms of IT Policy, which is the importance of developing clear, concise and understandable policy. To use this approach, it should reduce mistakes and improve employee’s ability to perform business processes due to less ambiguity in how things should be done. When something goes wrong, the problem can be identified and quickly solved. To use these steps, it should have an impact on business value in order to increase work productivity and less time spent correcting mistakes since there should be a quantifiably noticeable reduction in these mistakes. Finally, to create effective policy, it should ensure compliance regarding standards that are required by the company (HIPAA, 2011).