Sample Information Security Policy

Preamble DooDads4Sale.com acknowledges an obligation to ensure appropriate security for all Information Technology data, equipment, and processes in its domain of ownership and control. This obligation is shared, to varying degrees, by every member of the company. This document will: 1. Enumerate the elements that constitute IT security. 2. Explain the need for IT security. 3. Specify the various categories of IT data, equipment, and processes subject to this policy. 4. Indicate, in broad terms, the IT security responsibilities of the various roles in which each member of the university may function. 5. Indicate appropriate levels of security through standards and guidelines.

Scope of IT Security 1. Definition of Security. Security can be defined as "the state of being free from unacceptable risk". The risk concerns the following categories of losses: • Confidentiality of Information. • Integrity of data. • Assets. • Efficient and Appropriate Use. • System Availability. Confidentiality refers to the privacy of personal or corporate information. This includes issues of copyright.

Integrity refers to the accuracy of data. Loss of data integrity may be gross and evident, as when a computer disc fails, or subtle, as when a character in a file is altered.

The assets that must be protected include: • Computer and Peripheral Equipment. • Communications Equipment. • Computing and Communications Premises. • Power, Water, Environmental Control, and Communications utilities. • Supplies and Data Storage Media. • System Computer Programs and Documentation. • Application Computer Programs and Documentation. • Information.

Efficient and Appropriate Use ensures that the company’s IT resources are used for the purposes for which they were intended, in a manner that does not