1

Step 2: Components of a Proper Policy

Name of student:

Course:

Institution:

Date of submission:
 2

Components of a Proper Policy

A security policy is paramount to ensure that organization data is kept confidential and

that no modifications by unauthorized people. The policy sets the rules and guidelines that

employees must abide by in their daily duties to guarantee information security fully. Ideally, the

policy should ensure complete data coverage, facilities, infrastructure, networks and systems,

programs, users, third and fourth parties. Full implementation of an organization policy requires

consideration of several components to ensure that the policy covers all the areas and is effective

and achievable. This section aims to identify these various components that make an excellent

cybersecurity policy.

The following are the critical components of cybersecurity policy that organizations should

consider when implementing an approach to improve their security.

a) Purpose

A cybersecurity policy's first basic and essential component is to have a defined purpose.

Calderaro and Craig (2020) state that the primary purpose of implementing policy in an

organization is to protect sensitive digital information. However, the firm may be willing to

define the policy goals in a more actionable way. An organization may have several objectives as

to why they indent to develop a security policy. For instance, clarifying the firm's information

security approach and responding to security breaches immediately and effectively. A firm's

objective may also be to uphold the brand reputation in information security, respect its customer

rights to personal data privacy, etc.

Suppose an organization fails to articulate its cybersecurity policy's clear and concrete

purpose. In that case, their security measures are at risk due to ineffective and unfocused
 3

measures. In contrast, having a well-defined purpose for the organization's security policy

enables an organization to tailor its security measures and provide enhanced data protection.

b) Audience and scope

This is the second crucial component of an organization's cybersecurity policy. It is vital

to ensure that the business specifies the reach of the security policy. The policy should show

which users are targeted and who are not affected. For example, the organization may decide that

third-party vendors will not be included in its security policy. However, with extended reach, it

may be tempting for security reasons. Keeping the policy within the organization makes it easier

to enforce and manage. In terms of scope, the business must consider the infrastructure the

policy will govern (Calderaro & Craig, 2020). Ideally, the policy should consider all the

programs, systems, data, and other deployed technology in the organization. With such broad

scope, it helps in reducing the company's data security risks.

c) Information security objectives.

It is vital to contemplate the organization's cyber security objectives during policy

creation. According to Sabillon et al. (2017), the IT industry is concerned with three main

principles, the CIA triad that guides information policy formulation for an organization. These

include; confidentiality, where the policy being created should ensure sensitive data and assets

are kept confidential and that only the authorized employees can access the protected

information. In addition, an information policy should be concerned with the integrity of the

organization's data. It should preserve sensitive data in a secure, complete, and intact form to

avoid unauthorized modification by hackers. Also, the policy should aim to increase the
 4

availability of IT systems to users when required. As a result, it will ensure continuous flow and

availability of organization resources and systems at any time required by users.

d) Authority and access control policy

A comprehensive security policy should indicate what employees of an organization have

the right to limit data access. Everyone in the organization should be trusted and have data

security insights that help them make correct decisions on the kind of information that can be

shared or not. The policy should ensure an access control policy that correctly shows who has

authorized information sharing in the organization. Additionally, the section should indicate

every organization's authority over the IT systems. Furthermore, it should clarify how to handle

sensitive data, the access controls of the company, who is responsible for these controls, and the

minimum-security standards the organization must adhere to.

e) Data classification

Data classification is a crucial component of every organization's cybersecurity policy.

The data should be classified into various security levels, for example, assigning it into different

categories, such as confidential information, secret and top secret, public, etc. The policy can

also group the data depending on the security levels, for instance, level1- information accessible

by the public, level2- information considered to be private but no harm if it reaches the public,

and level 3- information that can have severe consequences to the organization if it goes to the

public, etc. (Sabillon et al., 2017). Every category of non-public data in the ICT systems needs

more protection since a slight breach can highly cost the organization.
 5

f) Data support and operations

This includes the measures and operations the organization should implement for

handling each category of classified information assets. Syafrizal et al. (2020) define three

essential data support and operations categories. The first one is data protection regulations,

whereby under this category, the business should ensure organizational standards are set for

protecting personally identifiable and sensitive data. The other category is the data backup

requirements, where the organizations should have enough and secure backups. In addition, the

backups should be encrypted to prevent modification of the data contained within. The last

category under data support and operation is the movement of data, where there should be strict

security measures to govern the movement of data. Data should be transferred over secure

protocols and encrypted to prevent access by outsiders.

g) Security awareness behavior

It is paramount to have better strategies put in place within the organization, to heighten

the security awareness among the employees and prevent data breaches. The policy must be

structured to encourage some employee behaviors and bolster their awareness. As a result, it will

help to thwart all the potential attacks and losses within the organization. According to Syafrizal

et al. (2020), the best way to achieve this in an organization is through an employee training

policy. The staff should be familiarized with what information is highly sensitive, the protection

strategies already in place, and the access protection measures implemented. The security

training for employees should cover briefing them on the social engineering techniques used by

hackers and ways to fight. Employees should also be aware of a clean-up desk policy and ensure

that sensitive data is kept out of reach. Additionally, the employees should be trained on the

internet use policy and be aware of some illegitimate websites that hackers use to lure users.
 6

h) Responsibilities, rights, and personnel duties

This is the final component of the information security policy, where it should clearly

outline the employees' rights, duties, and responsibilities concerning data protection. Employees

should be given responsibilities by delegating specific persons to conduct access reviews, carry

out employee training, oversee change management procedures and handle incidents. There

should also be the right people to provide a basic oversight for the organization's information

security. As a result, it helps the organization avoid management errors that pose security risks.

All the above components should be considered when developing a security policy for an

organization. As a result, it leads to a robust policy covering all aspects and ensuring that data

breaches are minimized.

 7

References
Calderaro, A., & Craig, A. J. (2020). Transnational governance of cybersecurity: policy

challenges and global inequalities in cyber capacity building. Third World

Quarterly, 41(6), 917-938.

Sabillon, R., Serra-Ruiz, J., Cavaller, V., & Cano, J. (2017, November). A comprehensive

cybersecurity audit model to improve cybersecurity assurance: The cybersecurity audit

model (CSAM). In 2017 International Conference on Information Systems and

Computer Science (INCISCOS) (pp. 253-259). IEEE.

Sunkpho, J., Ramjan, S., & Ottamakorn, C. (2018, March). Cybersecurity policy in ASEAN

countries. In 17th Annual Security Conference (pp. 1-7).

Syafrizal, M., Selamat, S. R., & Zakaria, N. A. (2020). Analysis of cybersecurity standard and

framework components. International Journal of Communication Networks and

Information Security, 12(3), 417-432.