100 likes | 107 Views
Learn about the need for a corporate IT security policy, its role in an organization, legal aspects, and methods to improve awareness. Explore prevention, detection, investigation procedures, staff responsibilities, and disciplinary actions.
E N D
13.6 Legal Aspects Corporate IT Security Policy
Objectives • Understand the need for a corporate information technology security policy and its role within an organisation. • Factors could include prevention of misuse, detection, investigation, procedures, staff responsibilities, disciplinary procedures. • Describe the content of a corporate information technology security policy. • Describe methods of improving awareness of a security policy within an organisations, cross-referencing to training and standards
What do I need to know? • There are many legal considerations which regulate the use, by companies, of IT equipment, programs and data. • In this section we will look at the way legislation influences the way that organisations operate. • We will also look at security problems raised by these legal problems along with what companies can do to make staff aware of the need for security and what action organisations can take to minimise loss.
Legislation • Some laws are specifically aimed at the use of IT. Name the laws an IT professional should know about:
IT systems are vulnerable to two threats: • Accidental • Deliberate
Can you define… • Malpractice • Bad practice • Against the organisations code of practice • Usually by an employee within the organisation • Crime • Crime is concerned with illegal activities • Usually occurs from outside of the organisation • Actions that are unauthorised
Corporate Information Technology Security Policy • A document covering all aspects of security within an organisation. • It also contains conditions and rules that need to be obeyed by all staff. • It should be produced by and have backing of senior management and directors
IT Policy Statement • Covers all aspects of computer operations • All users are expected to read and sign • Some companies also include training: • DPA • Computer Misuse Act • Raise awareness of threats
Corporate IT Security Policy • Should address: • Prevention of misuse • Detection (through regular checking) • Investigation (through monitoring and audit) • Procedures used to prevent security problems (unauthorised access) • Staff responsibilities (to prevent misuse) • Disciplinary procedures. (for breaches of security)
Methods of Improving Awareness of ICT Security Policy • Induction Training • Staff Access to Guidance • Full staff meeting • Training • A leaflet distributed to all staff • Policy posted on Intranet or bulletin board • Posters displayed throughout the building • Emails sent to all staff