Information Security Policy and the principles of its organization

In the modern world, the concept of "information security policy" can be interpreted both in a broad and a narrow sense. As for the first, broader meaning, it denotes an integrated system of decisions that are taken by some organization, documented formally and aimed at ensuring the security of the enterprise. In the narrow sense, this concept is a document of local significance, which stipulates security requirements, the system of measures being implemented, the responsibility of employees and the control mechanism.

Integrated information security policy is a guarantee of stable operation of any company. Its all-roundness lies in the thoughtfulness and balance of the degree of protection, as well as the development of the correct measures and control system in the event of any violations.

All organizational methods play an important role in creating a reliable information protection scheme, because the illegal use of information is the result of malicious acts, personnel negligence, and not technical malfunctions. To achieve a good result, we need a complex interaction of organizational and legal and technical measures that should exclude all unauthorized penetrations into the system.

Information security is a guarantee of the company's calm work and its stable development. However, the basis for building a quality protection system should be the answers to such questions:

1. What is the data system and what degree of protection is required?

2. Who is able to inflict damage to the company by disrupting the functioning of the information system and who can use the information obtained?

3. How can you reduce such a risk to a minimum without disturbing the well-coordinated work of the organization?

The concept of information security, therefore, should be developed personally for a particular enterprise and according to its interests. The main role in its qualitative characteristics is played by organizational measures, which include:

1. Organization of an established system of access mode. This is done to exclude secret and unauthorized entry into the company's territory by unauthorized persons, as well as control over the stay of the organization's personnel in the room and the time of its departure.

2. Work with employees. Its essence consists in the organization of interaction with personnel, selection of personnel. It is still important to familiarize with them, prepare and teach the rules of working with information, so that employees know the scope of its secrecy.

3. The information security policy also provides for the structured use of technical means aimed at the accumulation, collection and storage of information of increased confidentiality.

4. Carrying out work aimed at controlling personnel in terms of using secret information and developing measures that should ensure its protection.

The costs of such a policy should not exceed the amount of potential damage that will result from its loss.

The information security policy should pay considerable attention to the processing of information by automated systems: independently working computers and local networks. It is necessary to correctly determine the necessary degree of protection for servers, gateways, as well as the rules for using removable media.

The information security policy and its effectiveness largely depends on the number of claims submitted to it by the company, which allow to reduce the degree of risk to the desired value.