You are here: Wireless Security Technology > Subtopic 3 > Content

IS Policy, Standards and Guidelines
Information systems, the information they hold, and the communications mechanisms that deliver the information are pervasive — from the user's computing device, to local and wide area networks, to servers. Management has a responsibility to ensure that the organization provides all users, i.e. their employees, vendors and clients, with a secure information systems environment.

Security relates to the protection of valuable assets against loss, disclosure, or damage. Valuable assets are the data or information recorded, processed, stored, shared, transmitted, or retrieved from an electronic medium. It must be protected from threats that will lead to its loss, inaccessibility, alteration or wrongful use.
To meet the security objective an ongoing and integrated approach is necessary. This includes policy development, roles and responsibilities, measures, and procedures. Users must be trained in the skills to operate information systems securely, and they must be aware that these practices are critical to an organization's survival. Monitoring is needed to detect and correct security breaches, and that actual and suspected breaches are promptly identified, investigated, and acted upon. This ensures ongoing compliance with policy, standards, and minimum acceptable security practices.
With the ever changing technological environment, what is state-of-the-art today will be obsolete tomorrow. Thus security must keep pace with these changes. Protecting a WLAN's infrastructure with MAC filtering,  802.1x security protocols, and other software security measures is just one facet of security.  An information security policy is necessary to ensure that:
  1. Data and other confidential information the WLAN contains is protected from theft or misuse;
  2. Users are trained in acceptable use of computing equipment and software;
  3. Procedures are in place for detecting, containing, and responding to intrusions;
  4. Procedures are in place for measuring user compliance; and
  5. The policy's effectiveness is measured and reported to management.

Additionally, an information security policy must also address the requirements of any number of local, state and federal legislation dealing with security information.   Here are two examples, their requirements, and the cost of non-compliance:

  • The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires medical and medical insurance businesses to protect the privacy of personal health information.  They must implement policies and procedures to safeguard it in any format, paper or electronic.   Fines for ignoring a specific requirement under HIPAA can reach $25,000 per violation.
  • The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to protect consumers’ personal financial information.  They must implement a comprehensive, written information security program with administrative, technical and physical safeguards for customer information.   Fines for failure to do so can reach $500,000.
Security is a complex mixture of technology, business processes and people.  An information security policy cannot be static and universal.  It must not only address current processes and technologies, it must be reviewed on a regular basis, and updated as these processes and technologies change with time.   The goal is to integrate secruity into an oranization in such a way as to enhance and safeguard each facet in the least instrusive yet mot effective way possible at a given time.