International Conference Paper: Information Security Policy Development

KEYWORDS - Information Security, UAE e-government, Controls, Risks

ABSTRACT

The information security policy would describe security in several terms, but is not simply guidelines, procedures or standards. It is a statement of goals to be achieved by procedures applied to different departments. Policy would guide employees about what should be protected and what restrictions should be in place. Information security is achieved by implementing a suitable set of controls, which could be policies, practices, procedures, organisational structures and software functions. These controls are established to ensure the specific security objectives of the organisation are mety.

INTRODUCTION

The purpose of this paper is to establish a detailed policy for the government of UAE, for the order of protecting the information exchange and the information systems amongst the citizens and personnel of UAE while employing the e-government services. The policy would facilitate the departments of e-government in easily integrating, interacting with the citizens, and would also ascertain that the UAE e-government would always be capable of protecting the information assets at the same time as imparting high quality services to the consumers. A gap analysis and survey would be performed for this research regarding the personnel, and it was observed that there is a lack of a detailed policy for information security. This was identified as the major concern that also serves as a barrier to the development of a secure information system for the e-government. Lastly, the research would present a policy that ensures to bring the entire management system and the organization under a single set of requirements and to ensure that they follow a unified direction towards the protection of information security. During the preparation of this policy, a consultant project as conducted for all the pertinent departments existing in the e-government of UAE for the order of identifying the existing working practices of the e-government services. Following this, the team referred to ISO27001 for the order of meeting the requisites of the policy defined in this standard. The remaining part of the paper would attend to all the various relevant areas and a standardized security policy would be established which is aligned with the working requirements of all the various e-government departments respectively.

ORGANISATIONAL SECURITY AND RESPONSIBILITY

For the order of being effectual, information security requires being a team effort entailing support and participation of every worker in the company dealing with the information systems and information. There must be various committees set out for the purpose of handling the activities related to the information security.

The Information Security Steering Committee

This committee is responsible of supporting security measures, the recommended variations in the information security policy, procedures and standards, analyzing the security related incidents and approving the remedial measures.

Information Security Implementation Committee

This committee is responsible of monitoring the application of the information security policy, reviewing the policy on a regular basis, and proposing variations according to the technological variations and strategies, handling security related incidents and putting into place the corrective measures ...