By enforcing corporate policy, corporations can reduce their risks and show due diligence to their customers and shareholders (Importance of Corporate Security Policy, 2010).
Before making choices regarding the Information Security strategy, long or short-term, organizations need to have a sound appreciative of their sole risk profile. Risk consists of a mixture of information resources that have value and vulnerabilities that are gullible. The scale of the risk is the product of the value of the information and the amount to which the susceptibility can be exploited. As long as the organization has information that has worth that information and by expansion, the organization will be susceptible to risk. The purpose of any information security control mechanism is to limit that risk to an suitable level. This is also true for policies. "Policies are a risk-control mechanism and must therefore be designed and developed in response to real and specific risks. Thus, a comprehensive risk assessment exercise must be the first phase of the policy development process. The risk assessment should identify the weakest areas of the system and can be used to define specific objectives" (van der Walt, 2010).
Conclusion
A security policy is basically a plan, outlining what the company's critical assets are, and how they must and can be protected. Its chief purpose is to provide staff with a brief summary of the adequate use of any of Information Assets, as well as to clarify what is considered as permissible and what is not, therefore engaging them in securing the company's critical systems. In order to comprehend the significance of a security policy, staff needs to be conscious and completely understand the penalties of violating the policy, thus exposing critical systems to a spiteful attacker, or causing unintentional damage to other companies worldwide. Violations should be handled consequently; those who in one way or the other breach upon the security policy should be made aware that they may face being put through a trial period, which comprises the limited use of some of the company information assets until they can show they are capable to act in a secure manner...
They should also be aware that in some severe cases they also may risk being fired or even prosecuted (Danchev, 2003).
Organizations must be prepared to enforce every stipulation the policy makes so policies must be focused and specific. Security administrators need to define objectives for their particular organization, based on the value of that information and the specific risks that information faces (van der Walt, 2010). The aforementioned policies do just this. They are all concerned with the risks that are involved both internally and externally for any company. Companies let entities both internally and externally access company information and so there is a need to have security policies in place in order to minimize any risk that might be present.
References
Danchev, D. (2003). Building and Implementing a Successful Information Security Policy.
Retrieved from http://www.windowsecurity.com/pages/security-policy.pdf
Importance of Corporate Security Policy. (2010). Retrieved from http://securityresponse.symantec.com/avcenter/security/Content/security.articles/corp.
security.policy.html
Information Security Policy - A Development Guide for Large and Small Companies. (2007).
Retreived from http://www.sans.org/reading_room/whitepapers/policyissues/information-security-p olicy-development-guide-large-small-companies_1331
Internet Usage Policy. (n.d.). Retrieved from http://www.sans.org/security-resources/policies/internet-usage-policy.pdf
van der Walt, C. (2010). Introduction to Security Policies, Part One: An Overview of Policies. Retrieved from http://www.symantec.com/connect/articles/introduction-security-policies-part-one-overview-policies
Server Audit Policy. (n.d.). Retreived from www.sans.org/security-resources/policies/Audit_Policy.doc
Wireless Communication Policy. (n.d.). Retrieved from http://www.sans.org/security-resources/policies/Wireless_Communication_Policy.pdf
Workstation Security Policy. (n.d.). Retrieved from www.sans.org/security-resources/policies/200802_002.doc
