2. Security
Policy
6.1.1 - If data is not stored
securely, there could be
consequences such as financial
costs, legal issues and loss of
reputation.
6.1.2 – Consider, when developing a
security policy, Protection, Detection &
Investigation of Misuse, Company
Procedures, staff Responsibility and
Discipline & Sanctions.
6.1.2.1 – Prevention takes account of
user that makes an accidental security
breach due to lack of training or general
incompetence and also deliberate
misuse caused by hacking or other
criminal activity.
6.1.2.2 – Serious damage can be avoided this
way. Network management personnel can
use manual methods to monitor the system.
Audit Trail software can be used to detect
abnormality.
6.1.2.3 – When misuse gets detected, it’s
important to do a full investigation. This
helps prevent further problems in future.
Can be internal misuse from an employee
meaning some form of discipline may be
required as well as further training.
6.1.2.4 – Physical Security, System
Access, Human Resource Issues,
Operational Procedures.
6.1.2.5 – E.g. System Admin could
be responsible for system backups
and would need to follow
procedures to ensure correct
timings, data content and location of
backup storage.
6.1.1.6 – Staff need to know about
sanctions they may receive based on
any misdemeanour, either deliberate
or accidental. Organisations needs to
take care when writing this as it has
to comply with current employment
legislation.
6.1.3 – Employees need to be aware
of how the security policy works
and affects them. Can be made alert
to security issues by: Training;
Communication; Legal Obligations.
3. Training
Policy
6.2.1 – Organisation needs to identify skills required
for each role in the company. Human resources
department would keep details of current roles of the
employees, academic qualifications and previous
training courses they have attended. All this info would
be co-ordinated to determine future training needed by
individuals, which would be reviewed regularly.
6.2.2 – Courses are often
short, intense and
expensive; some costing
£500 per day. Organisation
would keep full details of
various course providers
and quality of trainings
provided. Large
organisations have
thousands o employees to
train and invest in an in-
house training facility.
6.2.3 – Linked to training
budget, normally awarded on
annual basis. To be spent on
training, travel,
accommodation, meals.
6.2.4 - If employee is well
trained, they will make less
mistakes and be more
efficient. Meaning less money
spent on training and more on
physical components to make
the organisation greater.
4. Procurement
Policy
6.3.3 - Organisations consider
the disposal of their old
hardware as it is replaced with
more modern equipment and
consequently have produced a
policy to cover the issues.
6.3.2 - In projects, there are
budgets that have to be kept
within and many companies
are employing specialist
consultants to maximise their
purchasing efficiency.
6.3.1 - Funds can be saved by making sure that
the nessery ICT equipment or services are
delivered at the time they're needed and that
product cost is carefully negotiated. Employees
are responsible for different categories such as:
Hardware, Networking & Communication
Technology, Staff Services & Contract Labour,
Applications Software and System Software.
5. Security Policy
6.1.1 – Why a Security Policy is
needed.
6.1.2 – Factors Considered in a
Security Policy.
6.1.2.1 – Prevention of Misuse.
6.1.2.2 – Detection of Misuse.
6.1.2.3 – Investigation of Misuse.
6.1.2.4 – Company Procedures.
6.1.2.5 – Staff Responsibility.
6.1.2.6 – Discipline & Sanctions.
Training Policy
6.2.1 - Skill Requirements
6.2.2 - Course Structure &
Availability
6.2.3 - Financial Issues
6.2.4 - Cost Benefit
Procurement Policy
6.3.1 - Procurement of
Equipment and Services
6.3.2 - ICT Procurement
Consultants
6.3.3 - Disposal of Equipment