As we have emphasized in this website many times in the past, security and convenience are two opposing principles when it comes to the digital lifestyle of an individual or a business entity. Each time convenience becomes the focus for an entity, the natural side-effect of a wider attack surface is the result. The measure of effectiveness requires a certain level of flexibility and adaptability, not all technology coming fresh from the pipeline must be adopted by companies. Consultation is required not only from the board-of-directors but also from all the stakeholders of a company every time it rolls-out new equipment critical to operations.
The rapid phase of companies embracing IoT (Internet-of-Things) technology is one example of it. As more devices enter the corporate network under the BYOD principle, it demands leniency in security policy, like enabling Universal Plug and Play (UPnP) feature on routers. UPnP solves the complexity of configuring port forwarding by giving the devices and the router a way to auto-configure themselves on-the-fly, with a huge risk, given frequent news about UPnP being the attack surface that gave outsiders the capability to cause data breaches.
An information security policy is a set of rules that governs a company or organization’s overall guidelines and policies for maintaining information security. The formulation is essential for companies to establish a security system. It seems that there are many people who do not know what to do when actually making it, even though they know that. An information security policy is a set of rules that governs a company or organization’s overall guidelines and policies for maintaining information security.
It is a declaration that companies take such defenses to protect confidential data and personal information from cyber attacks. In the modern society where the damage from cyber attacks is increasing, it is one of the indispensable things as rule making for company management.
There is no fixed text in the security policy, but generally it is necessary to protect information data in the company:
- Organization-wide information management policy
- Approach to information security
- Specific operation rules, measures standards
Cyber attacks continue to diversify, and they are by no means uniform. Information security protection measures and standards are incorporated according to each guideline according to the basic policy, each company may vary, but the principles behind its enforcement are similar. In addition to going beyond the basic policy, it is necessary to set up penalties, as it will be set for each department and contract in the company. It is fairly difficult for anyone, especially in the HR department to communicate penalties for IT security negligence, but it is necessary. This creates a visible borderline which employees can check whether their action will be compliant or not. The hardest rules to follow are the rules that are not concretely defined but rather subject to the interpretation of some authority figure or groups within the firm.
BYOD (Bring-Your-Own-Devices) is here and it cannot be stopped, it is the challenge for IT professionals, headed by the Chief Information Security Officer to have it operates while also maintaining network security arrangements untouched as much as possible. It takes a lot of funding in order to strike a balance between convenience and security, more devices on the network requires more monitoring protocols.