Question & Answer: Explain how security policies and standards affect risk and impact……

We will discuss the impact of security policies and standards on risk management of enterprise information systems.

Impact of policies at the government level:

Generally there are certain information security policies framed by the government for the organizations that deal with enterprise system development and maintenance. The organizations have to abide by those policies and rules. The government assigns some technical reviewers who may assess the risk management measures taken by the concerned organization and provide recommendations. Although regulations may not instruct organizations on how to control or secure their systems, they do require that those systems be secure in some way and that the organization prove to independent auditors that their security and control infrastructure is in place and operating effectively. Their report in general may include the following

• Identified threat / vulnerability
• Recommended safeguards for mitigating these threats and vulnerabilities
• A time-frame to carry out the recommended changes
• Possible loss due to the vulnerabilities

So these regulations from the authorities ensure that the organizations have some basic security measures in place even if the organization management is reluctant to spend money on security controls.

Impact of policies at the organizational level:

It is a routine practice for organizations managing enterprise systems including softwares to perform Security Risk Assessment periodically. The methodology adopted by an organization to manage the risks and vulnerabilities of its vital resources has an enduring impact on itself in the following ways.

• It provides a road map for the implementation, evaluation and improvement of information security practices.
• Helps in reviewing the adequacy of the security standards in the existing systems.
• Provides an assessment of the physical protection applied to computing equipment and other network components.
• Reviews the present level of security awareness among the employees within the organization.
• Develops recommendatory measures to tackle the security issues.

The threat from attackers has become a reality for many organizations in the recent past. Specially any loophole in the authentication methods of the systems in an organization has to be identified at the earliest. A set of well established and effective security policies and standards play the role of the driver here. Therefore the policies at the organizational level ensures that the greatest risks to the organization are identified and addressed on a continuing basis thus adding value to the organization.