Security policy is understood as a set of documented administrative solutions aimed at ensuring information security. The security policy determines the organizational strategy in the field of information security, as well as that measure of attention and the amount of resources the management of the organization considers to advisable to be allocated as critical.
The security policy should include comprehensive solutions covering all aspects of the use of infocommunication system. It seems advisable to include the following sections in the document describing the organization’s security policy:
an introductory section, specifying the role and place of information security support in the infocommunication system;
an organizational section, containing a description of departments, commissions, groups etc. responsible for information security support;
a classification section, describing the material and information resources available to the organization, as well as the level of protection needed;
staff issues section, describing security measures applied to the staff (a description of positions from the point of view of information security, the organization of staff training and retraining, the response procedure in case of violations of security policy, etc.);
a section describing the problems of the physical protection of the infocommunication equipment;
an administrative section, describing the management of technical equipment;
a section describing restrictions an access to information resources;
a section describing a procedure for the development and maintenance of the automated information systems;
a section describing measures directed at ensuring the uninterrupted operation of the organization;
a legal section, confirming conformity of security policy to current legislation, as well as internal regulatory and administrative documentation.
Once created, the security policy should not be considered as dogma. It should continuously be reviewed and corrected as infocommunication technologies develop and new threats emerge.
2.3. Educational activity
The lack of the required knowledge in the field of protection against malicious programs and spam is a source of problems with ensuring information security.
At the first stage, with the object of organizing educational activity aimed at counteracting information security threats, the following measures can be suggested:
the preparation of brief brochures and training instructions with recommendations on information protection for the managers of different levels, administrators of information systems, and home and office computer users;
the development of manuals describing all studied aspects of information protection which have been studied from the practical point of view, as well as the continuous reviewing and upgrading of such manuals;
the development of educational programs and training materials for studies in higher and specialized secondary educational institutions, at refresher courses, as well as carrying out such studies;
the creation and continuous upgrade of Internet information resources devoted to protection against malicious programs and attacks by intruders, news distribution lists, conferences, and other similar resources;
the creation of manuals for schoolchildren on the basic principles of information security;
the creation of permanently operating forums where expert groups could exchange their experience to counteract information security threats;