|
Rule of Law for Digital Information World – Security Policy
In order for a society to function and prosper, certain rules, or
laws, must be established and followed. This simple, yet vital,
basis of civilization can be seen through out all of our histories.
Every society has become more civilized over time through socially
agreed-upon laws.
At the beginning of the last century, Henry Ford established a
company that would go on to manufacture half of all cars in America,
beginning with his Model T’s in 1918, based on technologies stemming
from the industry revolution in the mid-1700s. The success of Ford
and other automobile manufacturers eventually led to what we now
know as rules of the road.
Rules of the road are defined as general practices and procedures
that people abide by while operating motorized vehicles on public
streets and highways, according to
www.answers.com. These
rules also govern interactions between vehicles and pedestrians. The
most basic traffic rules have been established through an
international treaty under the authority of the United Nations, the
1968 Vienna Convention on Road Traffic.
Now, just a century later, we are
facing a new revolution — the digital one. Driven by cornerstone
advancements in computer-related technologies, the digital
revolution threatens to have a larger impact on our society than the
industrial and automobile revolutions combined. The increasingly
open nature of the Internet, combined with alternative means of
communications and the ease of travel between countries, has shaped
the digital information revolution into a fundamental change to our
civilization’s structure.
Despite this profound change, we have
yet to see a concrete set of rules for the digital world. The
landscape of this digital information revolution is, for the most
part, still a Wild, Wild West!
So what set of rules must we
establish to govern this digital information world? I say, much like
rules of the road, rules of the digital information must be formed
with the protection of human beings and their property in mind.
Society may go
about establishing any socially agreed-upon set of laws in two ways:
top down or bottom up.
|
Top Down |
Bottom Up |
|
United Nations |
Organizations |
|
Countries |
Communities |
|
Communities |
Countries |
|
Organizations |
United Nations |
By far the easiest place to start is
from within an organization, simply because it usually requires the
least consensus and can be implemented in a matter of months,
depending on the size of an organization.
In this white paper, we will focus on
the organizational aspect of developing a digital information
security policy.
So why is it so important to have a
digital information security policy?
Well, to begin with, almost
everything and anything of value to an organization is now digitized
in one way or another — or will be very soon. It would be
unthinkable to continue permitting the viewing, listening,
modification, distribution, publication and destruction of this
digital information without a governing policy.
Without a set of rules governing
digital information security, how can users be held responsible for
handling digital property? Without knowing what guidelines to
follow, how can we expect any users of digital information to be
implemented in a socially agreeable and acceptable manner?
What happens if there is a dispute?
Who would be right? And what court would decide, if any?
With or without an organization
realizing it, having a digital information security policy could be
the difference between life and death for an organization. An
organization’s survival, reputation and competitiveness may depend
on it.
To make a long argument short, an
organization must have basic laws governing digital information
security, and the policy has to be well-communicated and agreed
upon.
Developing a digital information
security policy can be fairly complicated, and it can be different
across organizations. However, the higher-level structures are more
or less the same.
Below, I have outlined the
higher-level structures of a sound digital information security
policy for any given organization:
 |
Digital information protection
classifications policy
|
Business continuity |
|
Digital data disaster
recovery |
|
Digital data protection |
|
Digital data encryption |
|
Digital data access control |
|
|
Digital information
classifications policy
|
Levels of definition of the
digital information |
|
Levels of critical digital
information |
|
Levels of digital information
retention & destruction |
|
|
Software Application
|
Acceptable usage |
|
Access control |
|
|
Computer Operating Systems
|
Acceptable usage |
|
Security hardening |
|
Security protection |
|
Data encryption |
|
Access control |
|
|
Computer, Network & Related
Hardware (Computer, Router, Printer, Copier, Scanner, PDA, Cell
phone, Memory Stick / USB Drive etc.)
|
Acceptable usage |
|
Security hardening |
|
Security protection |
|
Data encryption |
|
Access control |
|
|
Network (LAN, MAN, WAN, Internet,
Extranet & Intranet)
|
Acceptable usage |
|
Security hardening |
|
Security protection |
|
Data encryption |
|
Access control |
|
|
Media / Storage
|
Acceptable usage |
|
Data encryption |
|
Data retention & destruction |
|
Access control |
|
|
Physical Security (Room, Building
& Etc.)
|
Closed Circuit TV monitor |
|
Real Time environment monitor |
|
Access control |
|
|
User security classifications
policy
|
Background check |
|
Levels of digital data access
control |
|
Levels of software
application access control |
|
Security policy related
acknowledgements signed and on file |
|
Ongoing security policy
training |
|
|
Ongoing organization wide review
and fine-tuning |
|
Independent audit of the above
annually |
Having a sound digital information
security policy can and will benefit an organization in many ways.
It serves as a framework for an organization to operate in this
digital information world with a set of over-guiding rules. It is
evidence that the management of the organization is serious about
safeguarding its proprietary information and trade secrets and lays
out a solid foundation when legal disputes are necessary, thereby
reducing the liability of the organization.
By
Benson Yeung, Senior Partner
Back to Top 
Information Request Form
|
