Definition of the Information Security Policies (ISP):
“The accepted vision of the ISP:”
The Executive Management Team (EMT) is responsible of accepting the rules and guidelines which are written into the company’s Information Security Policies (ISP). As the ISP is the main tool for managing information security it is also the tool for standardizing the operations within the company’s information security. The ISP should not only be a document for the management, it should also be an easily accessible guideline for all the employees of a company to prevent information security related risks.
All the employees of a company should have a clear understanding and awareness of the basic risks related to IT –systems – before accessing the systems. ISP defines these risks as it is the main document for information security. All the IT -systems or solutions should also be configured and documented by the rules of the ISP. The documentation and configuration itself is only a job half done. Continuous auditing for the main IT –systems and infrastructure is needed to ensure that the ISP is actually making the environment as secure as it should.
The Executive Management Team (EMT) approves the information security issues. Security Manager ensures that infrastructure and employees are following the ISP. Each employee is responsible for reporting security risks and to follow the rules of the ISP.
In general – each employee should read the company ISP and update their personal information security knowledge once a year. Company practices such as yearly organized security trainings can improve and keep up the awareness of the information security related issues and risks. Both employees and customers of a company can benefit from professionally managed and communicated information security policies.