Where there is no law, they say there is no sin. In a standard society or organization, there should be law. In line with Newton's 3rd law that “there must be an equal and opposite reaction for every action“, those who violate laws must face the consequence.
The purpose of a security policy is to document a set of rules that the organization should follow in managing information. The policy document will provide a solution to information technologies under the control of your organization, either directly or by proxy.
All do's and don't in the security policy shall apply to all network infrastructures, cables, wireless devices, telecommunication, and other technology devices. The policy also needs to be binding on anyone using personal devices to assess the organization's network at all times.
All permanent and temporary staff must adhere strictly to the rules and regulations of operation as provided. The policy document covers all organization resources, both onsite and offsite, or equipment under the management of the organization.
In a case where a device is under the management of your organization, such technology devices (owned by others) has a different policy from their parents' organization and causes conflict with the stated rules and regulation of your organization. Both parties should agree on the Policy with more restrictive measures in protecting the devices.
Employers Responsibilities (Logical)
Everyone needs to protect themselves and their immediate environment. Both permanent and temporary workers shall have the responsibility to perform some specific functions based on their level. The level shall be from range 0-16.
Range 0 – 4 shall have only read access on the network with access to limited resources. The available resource for such a person will be read-only.
Level range 0-4 is regularly for interns, contractors and some low ranking officers in the organization
Range 5 – 9 shall have access to read and write resources on the network. The resources or information shall be as limited. Officers in the range shall not have permission to execute except to read and write. The level range is mostly for people at the intermediate level in the organization.
Range 10 – 14 the range shall have access to read, write and execute resources on the network. The officer-like Head of departments in the organization shall fall into the range of 10-14 privilege mode.
Range 15 is for the C-Levels officers in the organization. They shall have the right to read, write, delete and execute. The privilege mode 15 shall have the power to override any of the lower privileges.
EMPLOYERS RESPONSIBILITIES (Physical)
Beyond the privilege levels, employers should know that the physical form of security in the organization's environment is paramount. That is why it is part of the security policy document that all Staff, either permanent or temporary, must at all-time abide by the following:
Wear Identity card
To maintain security, all employees must always be with their Identity Card in the organization environment. The Identity card must always be available on request in other to identify an individual.
Secure all electronic gadget:
When leaving the office, all electronic devices used by an individual must be turned off. In the case of moving items like memory cards, flash drives, or hard disks, etc. there is a need for a record. On no account should any staff leave the Organist ion premises with any electronic gadget not assigned to him/her.
The Organization computers should be programmed to lock if not active for 10 seconds. On no account should any employee change the setting on his or her allocated computers.
Accessing the network from another device:
No staff should use his/her login details to access the computer resources from a PC that is not allocated to him/her.
Use of Unauthorized gadget and Personal Software are prohibited
Suppose there is any need for any employee to access the company's information or network with any other devices except for the one made available by the organization for such. In that case, approval from the Chief Information Technology Officer is paramount. The CITO should make known the terms and conditions of such an employee before granting his/her request.
Personal software that doesn't impact the organization's productiveness needs to be prohibited in the work environment. The organization tech experts must do all software that needs to be installed on the devices.
Recommendation and Conclusion.
Since it is one thing to set rules and regulations, it is another thing to implement. An organization should make it a routine to perform auditing at least once in 30days.
Anyone who has input up to a certain number of incorrect passwords should be questioned or why such is happening in the space of one month. The Auditing team should also report the finding and suspicious activities of a particular individual or group of people to the Chief Information Technology Officer.