Consultancy

IT Security Policy and Procedures

Policies define how ITS will approach security, how employees (staff/faculty) and students are to approach security, and how certain situations will be handled. An IT Security Policy identifies the rules and procedures for all individuals accessing and using an organization’s IT assets and resources.

An Information Technology (IT) Security Policy identifies the rules and procedures for all individuals accessing and using an organization’s IT assets and resources. Effective IT Security Policy is a model of the organization’s culture, in which rules and procedures are driven from its employees’ approach to their information and work. Thus, an effective IT security policy is a unique document for each organization, cultivated from its people’s perspectives on risk tolerance, how they see and value their information, and the resulting availability that they maintain of that information. For this reason, many companies will find a boilerplate IT security policy inappropriate due to its lack of consideration for how the organization’s people actually use and share information among themselves and to the public.​

The objectives of an IT security policy is the preservation of confidentiality, integrity, and availability of systems and information used by an organization’s members. These three principles compose the CIA triad: