Information Security Policies and Measures

How well developed are my organization’s information security policies?

In my opinion, information security policies in my organization are well developed and fully implemented. This is because they all in action and fully followed. Updating of the policies also takes place regularly to prevent dormancy of the policies.

Policies and measures to ensure confidentiality, availability, and reliability

1. Confidentiality: this is ensured when disclosure of information to unauthorized individuals or systems is controlled. The organization uses policies such as encryption of all sensitive data when being transmitted to other sites. There is also the use of cookies policy incorporated to ensure the privacy of electronic communications within the organization. The confidentiality of health care records in the organization is also maintained in accordance with the Information Practices Act (Peltier, 2004). This Act issues the following policies: Only authorized persons shall have access to any medical records, If not in use medical records shall be locked up in files in a locked room, and that the organization shall review its record management procedures occasionally (Peltier & Blackley, 2005).
2. Availability: these are policies to ensure that information is available when needed. Policies implemented in the organization to ensure information availability include Use of backups; this is whereby copies of any stored information are produced. There is also the use of physical security; physical security is provided to the information systems to prevent the availability of information to unauthorized persons.
3. Reliability: Reliability of the information in the organization is mainly through ensuring that personnel who are dealing with the information are fully qualified. There are also disaster recovery actions to ensure the loss of information is reduced (Vacca, 2009).

Steps to take to ensure that data remains accessible in the event of a catastrophic event such as a fire or other natural disaster?

1. Always have a backup: at least one copy of the original data should be kept in a different storage disk. Backup could also be in form of hard copies printed and stored in secure cabinets, preferably kept in an offsite location. This helps protect the backup from damage in case of a disaster. In an offsite, location is not possible then at least the backup should be kept in a fireproof safe (Vacca, 2009).
2. Ensure backup is updated at least once a week: to ensure that all data is kept in a backup, the organization should make sure that that the backup copies are up to date such that in case of a disaster, no data is lost.
3. Procuring fire-resistant cabinets and safes: The business will always have some vital records being kept in an on-site location. For onsite storage, standard filing equipment is mostly used, as is believed to offer fire protection (Peltier & Blackley, 2005).

To ensure that organization’s information is accessible in the event of a disaster, the following should be undertaken: prioritizing the specific categories of vital records lost in the disaster (Peltier & Blackley, 2005). Vital records mainly include contracts for ownership of property, operational records, produced reports, current client files, and software source records. All these should be tracked and designated to secure the relocation site. The arrangement of how backup is to be transported should also be made to prevent any possible loss during transportation (Peltier & Blackley, 2005).

Things to do to further enhance information security:

1. Installation of patches: for greater security of information, the organization can apply patches. These are small software add-ons structured to deal specifically with security holes and other computer problems.
2. Installation of application-layer firewalls: these enhance information security in the organization by monitoring and inspecting packets entering and leaving the organization. Firewalls also foil hackers on the internet and make a computer invisible to internet intruders (Peltier, 2004).
3. Training and education of employees: the organization can also enhance its information security by educating the employees on information security issues. Employees educated on the importance of information security will help reduce the chances of insecurity threats such as social engineering. Employees will also be careful when dealing with outsiders through the internet.

References

Peltier, T. R. (2004). Information security policies and procedures: a practitioner’s reference. London: Auerbach Publications.

Peltier, T.R & Blackley, J. A. (2005). Information security fundamentals. New York: Auerbach Publications.

Vacca, J. R. (2009). Computer and information security handbook. Boston: Kaufmann.