Shearwater Solutions (Shearwater) provides a range of services relating to policies. The services range from reviewing and updating existing policies, to aligning policies with standards such as Payment Card Industry Data Security Standard (PCI DSS), ISO/IEC 27001 and SOX to full development of policies in conjunction with your staff as well as reviewing technical compliance.
A security policy outlines the requirements with regard to information security within an environment. Combined with standards, guidelines and procedures this allows management to take control of information security. What this means in real terms is that employees know what is expected of them, what is acceptable and what is not. This applies to both users of IT as well as to those who manage it.
Without appropriate policies,
- Staff members may be unaware of their responsibilities and duties regarding IT Security. Consequently, they may deliberately or accidentally compromise corporate information.
- Management may have no recourse against perpetrators.
- Staff has no official guideline for configuring and administering systems with regard to IT Security.
- Systems may be secured inappropriately as the value of the information is not known or has not been adequately determined.
- Management may be unable to demonstrate due care and diligence with regards to information security.
- The company, company directors and management may be held liable.
Generally speaking, organisations operating without a security policy have a tendency to have security controls implemented inconsistently. This often results in loopholes that can be exploited or procedures that fail. Furthermore, detecting and resolving these weaknesses can be difficult and time consuming.