Need for an information technology security policy in an organization

Widespread use of information technology (IT) has necessitated an increase in consciousness about IT security.  As persons and organizations settle for application of computer and mobile phone to most of their activities, as use of flash drives to move data from one computer to another within homes and offices becomes fashionable, and as more information and communication devices are connected to the Internet nowadays than ever before, malicious activities are on the increase to obscure the normal functioning of these devices and to compromise the privacy and integrity of data they contain.  What users of these IT devices do (or should do) to contend with such threats is very important.  It may not be simple, for IT security is a complex issue.

The complexity may be associated with the diverse nature of IT and its hub—information.  Looking at the many different devices, computer programs and networks that constitute IT and the varied formats in which information is held and transmitted, very many people get scared.  They are confused as to what sort and level of security to provide for, and for which item?  This is so especially when there are many competing critical expenses.  The usual stance has been to assume there will be no security issue, but if any issue comes up, it will then be dealt with.  We may not know what is wrong with this reactive approach if we have not understood what IT security actually is and the extent of calamities that negligence can bring upon us.  Although IT security is wider than computer security, information security, data security, and other related terminologies that are in use, the definition of computer security given in American National Standard Dictionaryof Information Technology (ANSDIT) (2009) is a good representation of the meaning of IT security.  ANSDIT’s definition points to taking appropriate actions to protect data and resources from accidental or malicious acts.  Data, in whatever form, are just what IT works with, and resources encompass the devices, software and networks that participate in the processing and communication of the data.  Accidental or malicious acts may be loss or unauthorized modification, destruction, access, disclosure, or acquisition.

No matter how complex it is, security of information technology must not be kept on the reserve bench of expenditure heads, to be called up only when there is surplus money or when attackers strike.  Security has to be thought about during planning of hardware and software acquisition, of data generation, warehousing and transfer, and of installation of all kinds of networks and servers.  Just as policies guide human resource management, procurement, production and other major activities for effectiveness and efficiency in achieving organizations’ goals, there ought to be a policy to provide direction for effective and adequate IT security, since IT now pervades all organizational functions.  Sadowsky et al (2003) said that putting a set of effective security policies in place was one of the critical steps you must take to ensure that your machines and information would be secure from unauthorized access and that you would be able to exchange that information securely with others on the network.  IT security policy is simply a plan or course of actions (conventionally written) adopted for providing IT security.  

Quite much has been written about various aspects of IT security, which has been used interchangeably with computer security, information security, data security and information and communication technology (ICT) security. All works published in IT security so far are intelligently written and incisive.  They are indeed exciting.  What is not delightful, however, is the negligence given to policy aspect.  One reason for this negligence, this writer assumes—based on practices in his environment, is that practicing IT security without a policy has been a norm, and at times where a policy exists, it is rarely implemented, creating the impression that security policy is needless.  This explains why many organizations’ strategy is traditionally reactive.  In many cases, the fire-brigade measures launched against attacks lack the potency to restore conditions to original.

A policy prepares an organization to tactically prevent attacks. Organizations and IT security practitioners should accord IT security policy the attention it deserves for most effective mitigation of IT risks, especially now that war fronts are being moved into cyberspace.     

REFERENCES:

American National Standard Dictionary of Information Technology (2009). Washington, DC: InterNational Committee for Information Technology Standards (INCITS)

Sadowsky, George, Dempsey, James X., Greenberg, Alan, Mack, Barbara J., & Schwartz,   Alan (2003). Information technology security handbook. Washington, D.C.: The International Bank for Reconstruction and Development/The World Bank.  

About the author
Chris Prince Udochukwu Njoku (PhD) is Principal Operations Manager in Information and Communication Technology Unit of University of Nigeria.