Written by

Shama shoukat
Security Policy
Summary
The security policy is the set of the rules and mechanisms in the written
form to ensure the integrity, confidentiality and availability of the physical
and technical information of any organization. The security policy covers
all the matters related to the security of the organizations like the
procedures to implement the security, the security policy evaluation and
strategies to take the corrective actions after its evaluations. These
policies and procedures are essential for the existence of the organization
as the loss of the useful data and exploitation of resources can question
the existence of the organization. Such policies also secure the assets of
the company and mainly focus on the Information Technology System and
are the mode of reduce, mitigate and respond to the risk. These policies
are beneficial to provide the guidelines for employees and IT specialist to
work within their authorized area and reduces the exploitation of the
organizational resources.
Abstract
This research paper provides you thedetail about the strategies for the
security policy and the importance of the security policy for the
organization. It is revealed that the security policy must be aligned with
the budget, goals and objectives of the organizations and must have the
proper control strategies for the evaluation. It is also found that strategies
help the organization to secure the assets and information about the
organization. If the awareness of the security policy is given to the staff,
this research paper explores that how it becomes a tool to mitigate the
risk, increase reputation and avoid the legal proceedings, reduce the
threats and safeguard and secure the organization from different risks.
The conclusion and the results of this paper can be generalized to all
organizations, mostly those which are related to information technology.
Strategies
The security policy is back bone of the information system as the
information system cannot secure the data without the security policy.
Different organization has different sorts of the security policies according
to the nature of the operations of the business.
Different strategies are designed to make the organization security
compatible with the organizations objectives. The selection of the
strategy depends upon the nature of the business. The organization
should choose the strategy that will increase the efficiency, effectiveness
and productivity. A good business strategy should eliminate the threats
that business may encounter and enable the company to take good care
of its assets and safeguard the business reputation. There are different
strategies that are available to the organizations in the security policy. The

selected strategies must help the organization to achieve the goals and
objectives of the business.
Proactive strategy
The method to develop the security policy is a proactive approach to deal
with the possible threats. This approach of the policy making forecast the
possible risks of the organization and viral attacks on the sensitive data.
(Jones, 2015) The determination of the threats leads toward devising the
methodologies to minimize and deal with the threats. The contingency
plans are also defined in the proactive approach to reduce the risk to
minimal levels. The proactive strategy is best for the security of the
information and data as the loss of business data may cause heavy
damages to the organization. (Soroko, 2014)
Proactive strategy constitute of the few steps
Proactive policy making team
This step of the proactive strategy hires the specialist to design the
strategy, according to the requirement of the business. In this approach
the common goal and vision is very important to design and implement a
strategy. With the focused approach the desired results can be attained by
the team.
Risk assessment procedures.
The risk assessment procedures are identified and applied in the
organization to identify the high risk areas and the critical assets. This
work is conducted by the specialist that are hired the organization for the
risk assessment. This risk identified may vary from business to business
as the critical asserts and information are different of all organizations.
(Forbes, 2015)
Prioritize the risk
The risk identified are prioritized and the strategies are designed to
eliminate and reduce the risk to the lowest level. The risk that has a high
chance of occurrenceare dealt first to avoid any chance of the loss of data.
(Columbia univ., 2013)
Devising of strategies
Different strategies are designed to prevent the critical assets and data
from the different attacks. These strategies may be different for the
different sort of the data and according to the level of the threat.
Implementation
The designed strategies are implemented and reviewed time to time to
check out the effectiveness of the strategies. In case of any loss of the
data the corrective actions are taken and changes are implemented to
reduce the further loss of data. (Towers, 2013)
Contingency and plan

The contingency plan is the also devised to overcome the failure of the
strategy. These plans are designed to overcome all the issues that
happened due to some weakness in the implemented strategies.

Reactive strategy
The reactive approach takes the corrective action for the security purpose
to reduce the damages caused due to lack of the security system this
approach ascertains the damages, take corrective action, repair the
damages and then learn from the damages. This approach also
documents all the damages caused by the lack of security policy and keep
on working on a contingency basis.The reactive strategy, organization
implements when the planned strategies failed to secure theorganization.
There are different steps that the reactive strategy follows to overcome
the loss of the information. (Mannan, 2012)
Estimate the damages
This process of the reactive strategy determines the extent of loss
occurred. These damages are estimated as soon as possible to resolve the
issues that caused the damages and to start the smooth running of the
operations of the organization again.
Finding the causes of loss of data
This step of the strategy determines the resources that are being
attacked and find the main causes that let the damage happened. This
process also involves the review of the remaining security policies that
may be exploited and can cause damage in the near future.
Compensate the damages
Repairing and compensation of the data loss is started as early as possible
because the delay in the reparing can cause further damages and may
harm the business operations to a larger extent. So the process is
orignated to recover and restore the lost information and data.
Documentation of the attack
The documentation of the attack caused the damages is very essential art
of the reactive strategy. In this process the all details related to damages
for example, why the damages occurred, what resources are exploited,
how much was the recovery cost and many more.

Business aligned security policy

This approach aligns the business goals, objectives with the security
policy of the organization that mitigate the risk that threaten the
organization's success and safeguard its critical assets. This strategy gives
assurance to the organization that its information and the most important
physical assets are secured and there is no exploitation of the information

as well as physical assets.Thisstrategy for security policy works on the

different areas of the organization like organizations reputation,
operational activities, legal risks and information technology. (Time
Review, 2013)
Security Budget alignment with business
The budget alignment with the different departments of the business and
the security requirement enables the organization to get the edge and
reduces the friction of the running business. The security policy must be
focused on the budgetary control as going out of the budget will lead the
security policy failure. So the chosen strategy of the may be devised
taking into account the budgets available to the security team and the all
other departments. (Search Compliance, 2015)
Importance of the organizations security policy
The security policy must be developed by the organization to secure the
information as this is not the responsibility of the employees of the
organization to take care of all the information the security policy is
essential as the organization have the plenty of the information that must
be secured to grow continuously and get the edge. The security policy
must identify the sensitive areas of the business and after identification
the goals are devised for the security policy. The importance of the
security policy cannot be denied as it helps the organizations attain the
following benefits.

The security policy explains that employees what they have to do to

secure the information and what are their areas where they can
work and defines the limitation according to the employee
designation. (DeMetz, 2015)
Thebehaviourallimitations are defined by the security policy that
control the employeesbehaviour in the certain situations and the
action that can be taken in response of their behaviour.(IES, 2015)
Thesecurity policy reduces the loss of information and sensitive data
and provide the guideline to secure data in a proactive manner to
reduce the risk of leakage of data.
The security policy help the staff to take corrective action is a case
of the scams, risk and loss of data and provide guideline to handle
the sensitive information.
This reduces the breaches that may happen in the absence of the
security policy and prevent from the litigations and save money.
(COX, 2015)
The executive level staff is held responsible legally to insure the
confidentiality of the sensitive data and that improve their work
efficiency to avoid any litigation against them. (Brenner, 2013)

Conclusion

The security policy is the back of the any organization as its presence
assists the organization to achieve its goals and objectives and reduces
the pitfalls that may the organization may encounter due to loss of the
informational exploitation of resources. There must be an appropriate
balance between the security control, budget and organizational
objectives. This security policy ensures the confidentiality and availability
of the sensitive information and reduces the litigation proceeding that
may cost money to the organization. There are different strategies
available to the organizations to choose, but the proactive strategy with
the budget plan strategy holds good for all types of the organizations. The
reactive strategy itself is not a strategy it can be used in case of the
failure of the proactive strategy,especially in the information technology
where the chances of the cyber attacks are very high.So we can say that
the security policy is very important to avoid all the risks and threats and
help the organization to achieve its long term objectives and these
policies must be designed with the greatest care and should be well
focused.

References
(n.d.).
Benson, C. (n.d.). Security Strategies . Retrieved from Microsoft:
https://msdn.microsoft.com/en-us/library/cc723506.aspx
Brenner, J. (2013, June 19). Is Anyone Really Responsible for Your Companys
Data Security? Retrieved from HBR: https://hbr.org/2013/06/is-anyonereally-responsible-for-your-companys-data-security
Columbia univ. (2013, Oct). Information Security Risk Management Policy.
Retrieved from Columbia university:
http://policylibrary.columbia.edu/information-security-risk-managementpolicy
COX, A. (2015, May). Cyber-Security & Minimising. Retrieved from
http://www.google.com/url?
sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0CB
0QFjAA&url=http%3A%2F%2Fwww.arthurcox.com%2Fwp-content
%2Fuploads%2F2015%2F05%2FCyber-Security-Minimising-LitigationRisk.pdf&ei=dneEVaDZKoSpuwTu3oC4BQ&usg=AFQjCNEAcdTswjl
DeMetz, A. (2015, March 23). The #1 Information Security Policy That IT
Managers Would Change . Retrieved from CIO:
http://www.cio.com/article/2899927/security0/the-1-information-securitypolicy-that-it-managers-would-change.html
Forbes. (2015, May 05). Steps For Improving Your Information Security Policy.
Retrieved from Forbes:
http://www.forbes.com/sites/sungardas/2015/05/05/steps-for-improvingyour-information-security-policy/
IES. (2015, June 19). Why Do You Need a Security Policy? Retrieved from
https://nces.ed.gov/pubs98/safetech/chapter3.asp

Information Shield. (n.d.). Security Policy. Retrieved June 19, 2015, from
https://nces.ed.gov/pubs98/safetech/chapter3.asp
Jones, P. (2015, May 13). Implement a Proactive Strategy for Data Security.
Retrieved from Security intelligence:
http://securityintelligence.com/implement-a-proactive-strategy-for-datasecurity/#.VYR4zXtRLsA
Mannan, S. (2012). Lees' Loss Prevention in the Process Industries. In S. Mannan,
Lees' Loss Prevention in the Process Industries (p. 3776). ButterworthHeinemann.
Native Intelligence. (n.d.). Information Security Awareness and Privacy Training
Programs. Retrieved from Native Intelligence:
http://www.nativeintelligence.com/ni-programs/ni-benefits.asp
Rouse, M. (2015, June 19). Security Policy. Retrieved from Search Security:
http://searchsecurity.techtarget.com/definition/security-policy
Search Compliance. (2015, June 19). Three strategies to align organizational
compliance and security goals. Retrieved from
http://searchcompliance.techtarget.com/tip/Three-strategies-to-alignorganizational-compliance-and-security-goals
Search Compliance. (n.d.). Three strategies to align organizational compliance
and security goals. Retrieved June 19, 2015, from
http://searchcompliance.techtarget.com/tip/Three-strategies-to-alignorganizational-compliance-and-security-goals
search security. (2007). Retrieved from
http://searchsecurity.techtarget.com/definition/security-policy
Soroko, J. (2014, April 14). Reactive Cybersecurity Strategy Is Not A Strategy.
Retrieved from ENTRUST: http://www.entrust.com/reactive-cyber-securitystrategy-strategy/
Time Review. (2013). An Enterprise Security Program And Architecture To
Support Business Drivers. Retrieved June 19, 2015, from
http://timreview.ca/article/713
Towers, M. A. (2013, Sep 06).
http://www.csoonline.com/article/2133533/strategic-planning-erm/5implementation-principles-for-a-global-information-security-strategy.html.
Retrieved from Scoonline: 5 implementation principles for a global
information security strategy