Policy Planning can be defined as a high level overall plan, emphasizing on the general goals and involves acceptable procedures”. In general terms, it is accepted that in any organization the general information security policies should be the basis for its information security program (Long) Especially in financial service providing companies, the need for sensible policies are growing everyday, more and more companies are going global with the new mindset and strategies. In this paper we will discuss different policies that can be used in implementing information security policy.
The training policy of company A covers all the staff of the company, who will be directly or indirectly involved in the new web based transaction system of the company. It will be their responsibility to make things clear for their clients and other partners in the company (Long. P. G) For the system access policy of company A is concern, all the staff of the company A need to be fully aware of their responsibility to keep their User ID and password as secret as possible, and it’s mainly because this is the first line of defence within any system, especially when its new and its web based.
Company A, which is a superannuation company that provides various financial services to its partners and clients. The company has implemented web based transaction management system which definitely needs storage for its data; accomplishment of storage data policy helps in gaining effective management control of storage that results in the use of resources, it also increases up-time and saves money. If storage for Comapy A is competent then it has a positive impact upon reliability, scalability, security, efficiency and challenges. For company A, storage policy is a necessary part of controlling its corporate resources (Eckel. E, 2010)
For a financial company it is important to have effective storage management technology, so then it will let administrators do more, will save more money by it, anticipate any or all needs that may arise in the future and also eliminates the risk of unexpectedly running out of space which in turn might harm everyone’s productivity (Long. P. G)
By having a good storage management company A will be able to implement storage limits on users and groups of users, limits on the size of shared objects. The company A can also have control over what can be written to servers and or other desktop machines that will be used mainly to store the data for their clients and other financial institutions.
By implementing such storage system, company A will be able to do real time monitoring and alerts for their clients and partners (Eckel. E, 2010)
For company A, storage hardware and software management tools are only a part of the solution. If the company needs to cleanup some data then it may affect their clients. In storage management the clients of the company A will play an important role by deciding whether to leave information on-line, delete it, or archive it. If the clients and partners of company A will have proper access to the storage then it will be up to them to decide, as it will be their data and only they know what is important for them and what is not (Danchev. D, 2009)
For company A it can be a sensitive issue, because it may be asking its clients and other partners to place limits on what they might perceive as something free of infinite. By storage management company A will be able to tell its clients and partners if something is wrong.
The company should and must make it clear that no representative of the company shall access or store organization data of any kind in any format by any means. The company A should implement specific systems and should manage carefully to protect all kinds of data that might be accessed or stored on unauthorized organizations computers and devices (Eckel. E, 2010) All the files should only be accessed from Company A, server if required under any circumstances.
All the representative of organization A should and must notify the IT department if any illegal move is made and a proper legal action will be taken against them (Eckel. E, 2010) That might result in the loss of their job or any penalties that may apply on them under the state or corporate law.
For company A, another vital issue for its web based transaction service that it just started for its clients ands partners is the maintenance of its system. The company A needs to emphasize more on the maintenance of its PC/workstation and other technology that it will be using and the main reason for that purpose is that it is mainly involve in the financial services which needs regular updates. (Danchev. D, 2009) Workstations of users in company A, can be a significant threat to company security that may be targeted by the so called insiders, as they might get involve in the un necessary use of their systems. For this particular reason the company A needs to educate its staff mainly with respect to the physical security as well, and this can also be achieved by running the system through the possible scenarios, while providing tips for the better protection of the overall system.
Training policy for company A, come under the responsibility of Human resources. The need for training is the process of reviewing job performance standards under different situations and circumstances and the company A should be able to identify whether the individual has the skills, expertise or the competency that is needed for their job role.
Under the training policy of company A, each and every individual should be made responsible for the identification of their own current development needs, career plans and development needs, with regard to the web based transaction system that the company A has just started. Under this policy the manager of the HR department will work closely with other departments and will assess the needs of their employees by providing them with coaching and proper guidelines that they might need in the future.
Company A, will use various tools to identify the training needs for their employees so that they will be able to use the new web based transaction system. The tools company will use might be on annual bassi, employees meets with their managers and trainers so that they will be able to discuss training and development needs to properly use the new system. It will be the responsibility of both the manager and the employees to ensure that proper training is carried out.
In certain situations, if the employees identify other training needs which might help them indirectly with the new web based transaction system, they should be able to discuss it with their manager and other people who might be responsible for it.
In company A, for any kind of training to be proceed for their employees, so that they can get to know the new web based transaction system for their clients and partners, will need to have approval from certain authorities (Danchev. D, 2009) So every thing goes according to the plan and training will only be provided to certain employees and not all of them, as it will be costly for them. Training policies for any company varies from their industry and requirements but in general view it has the same structure and layout. In all cases final approval is also required from Human Resources
System Access Policies
For company A, this policy covers the main and most important aspects of their information system policy. Since company A is a financial service provider and its main clients and partners are large financial and insurance companies so it posses more responsibility on itself rather then on others. The staff of company A, should be aware of their responsibility, by keeping their user ID and passwords as secret as possible and its not only the matter of security for them but for the data that might be under their possession. Company A, should explain everything to its users that they are strictly under no circumstances are allowed to share their ID or password with anyone until and unless the other person has the right to access their system. And anyone might range from the representative of the information security office (ISO), to their family members. Specially when the company A, plays such a vital role and supports the web based transaction system so it system access policy should also restrict any user to provide his Id or password even to the managers or other executives.
For company A, under their system access policy, no staff is required to write any thing on their accounting or financial data, or their ID/password on loose papers, or sticky notes or on anything which might result in potential break-in, due to the improper handling of sensitive data. When the situation is so critical, the staff should not be allowed to store their ID or password no matter how safe the staff might think their password is (Danchev. D, 2009)
The company A, should educate its staff in a way that strong passwords can be created.
The proper maintenance of sensitive data such as the User ID and password for company A, are a responsibility of every staff member.
After doing in depth analysis and viewing all the policies that are mentioned above, such as storage policy, maintenance policy, training policy and system access policy it can be justified that all these policies will be of high importance and will play a significant role in generating a web based transaction management system for company A. One of the basic purpose to have the file storage policy is to have a proper backup of the data so that the threat of loosing the data can be over come. In case if the data is stolen or destroyed, company A will then easily be able to regain the same data under data storage policy. The most important purpose of this policy is that it will provide a backup service to its clients and partners specially when they are involved in web based transaction system.
According to Ming. Yi, the importance of maintenance policies for companies has been recognized over the past decades and they are highly regard in today competitive environment where companies are fighting hard for large share. In the case of company A, it is very important for it to regularly do the maintenance of its systems. The proposed maintenance policy can provide significant benefits for real-time maintenance decision making.
As far as the training policies are concern, so for company A, in order to increase the efficiency and productivity especially for their new web based transaction management system is that the company should and must provide enhanced training to their staff, and by providing such training the staff will then be able to serve better and also will perform better. It has been analyzed that in today’s competitive environment it is very important that all the staff of a company should and must be well trained and should have proper knowledge about the system they will be working on. The identification of training and development opportunities will form part of the annual Performance Management Review.
In the end, the system access policies by the company A, are of vital importance as they not only provide the guide lines that needs to be followed by the staff but have drawn certain boundaries for the staff that they should and must follow. System access policy, places a legal threat on the staff members, in case if certain policies and issues are not followed and if there’s any breach of rules will be find out then the staff will be penalized.
All the above mentioned policies are of huge importance for the company and for its new web based transaction management system. Though the nature of the company also plays a vital role, in many small and private firms the sharing of IDs and passwords between different employees may not be a big issue, but since the nature of the company A is related to finance and its clients and partners are of prime importance so it needs to have such strict policies and needs to make sure that its staff follows all of its policies.
Long. P. G, ‘ Security Policy in a Global Organization’, Version 1.3
Eckel. E, 2010, File storage policy’, vol 3, issue 9 pp. 67 – 89
Ming-Yi You, Lin Li Guang, Meng Jun Ni, 2010, The importance of Security Policy’,
Volume 7, Issue, 2 pp 257 – 265
Danchev. D, 2009 ‘Building and Implementing a Successful Information Security Policy’ viewed on 19th September 2010, www.windowsecurity.com