Answer the question
In order to leave comments, you need to log in
Document on information security in your company?
One of the most important documents of a self-respecting company should be a document on information security (security policy), which should describe the policies and procedures for information security.
The length of the document may vary. Employees must comply with at least basic requirements.
Examples:
— Internet security policy, —
Data backup and recovery
policy, — Password policy,
— Corporate network resource access control policy,
etc.
Actually the question is: Do you have such a document, are they observed and what topics does it include?
Answer the question
In order to leave comments, you need to log in
Perhaps in our company there is such an instruction, but in fact everything is transferred to new employees of the IT department by us (security guards) orally ...
The first point of the document on information security is not to tell anyone about this document ...
Typically, such a document is an annex to the employment contract, and it is not subject to disclosure.
For ordinary employees, this is usually a list of prohibitions - installing pirated software on your computer, installing sharing clients and other products, or generally prohibiting anything from installing, and using only what the IT department has installed.
Accordingly, only the IT department deals with backups, access restrictions, etc.
Most often, security in the IT part is performed by the IT department, sometimes dedicated employees with the appropriate education in information security.
The usual SB is most often former cops / KGB / SBU / their own version, who understand little and poorly in IT, and for the most part in age and rank.
And the policy is usually described by group policies in the domain and settings on the proxy and mail server.
Documents for my experience, I met once. when I got a job in a bank, but to be honest, I was broken off by reading a few dozen A4 sheets of this nonsense - I just signed and gave
and instructions for settings - backups and so on - yes, sometimes they are made, sometimes they are sent to all employees in the form of an order.
But there is only one way to accustom all employees to store all documents on file servers - mapping "my documents" to a network drive, prohibiting recording music / video there by policies on the file server and forcibly closing local disks for recording with taking away admin rights. and a list of software that can be installed on working machines
You correctly write that the information security document is one of the most important documents, because it is at the top of the hierarchy of information security documents.
Ideally, a company should have an IS Concept and an IS Policy. If the company is also the operator of personal data, then according to Federal Law-152, a Policy for the processing [and protection] of personal data should be developed.
Organizational documentation can be logically divided into two parts: organization of protection and provision of protection. In the first, organizational moments are written, in the second - how everything needs to be configured by the admins in order to comply with the plans of the organizers. Do not forget about the assignment of responsibility for each area of work: data destruction, data backup, access to office premises, etc.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question