IT Security Policy Framework

IT Security Policy Framework


IT Security Policy Framework will be used as a draft of the medium-sized insurance organization network system.  The essence of the IT Security Policy Framework will broadly investigate five distinct risks.  These risks are as Financial Risk, Strategic Risks, Compliance Risks, Operational Risks, and other types of Risks. 

COSO (Committee of Sponsoring Organizations of the Treadway Commission) Framework will be used as IT Security Policy Framework for Insurance Organization. This framework starts an interspersed process of internal controls. It supports the better ways of managing organization by assessing the efficient use of internal controls. This framework includes five parts:

  1. Control Environment: This environment comprising factors related to the integrity of people, management and control authority and duties inside the organization.
  2. Risk Assessment: This points to recognize and estimate the risks to the organization;
  3. Control Activities: This part includes the ideas and strategies for the organization;
  4. Communication and Information: This part containing the communication channels and the identification of significant information to the business for passing control activities from administrators to staff;
  5. Monitoring: This part includes the process which is used to watch and evaluate the state of all internal control methods over time to time.

The main purpose for establishing compliance of IT security controls with U.S. laws and regulations are Operations, Reporting, and Compliance with group entities. The main reason of operations objectives is to make ensure that jobs and goals accomplished successfully.  Reporting objectives involve the making of good reports.  These reports may be regarding about internal, external, or it may be financial or non-financial. Compliance objectives are groups regarding laws and regulations for their actions and activities. (Soske, S. E, 2013)

Control environment provides discipline, process, and structure.  There are five policies which are related to Control Environment: (Soske, S. E, 2013)

  1. The organization shows a commitment to integrity and ethical values.
  2. The board of directors confirms the independence of management and practices mistake in the development area and review of internal control.
  3. Executives confirm with structures, appropriate authorities, duties, reporting lines in the chase of objectives.
  4. The organization explains a promise to attract, develop, and retain competent individuals in alignment with objectives.
  5. The insurance organization also holds individual’s statements for their internal control duties in the chase of purposes.

Risk Assessment is to examine the risks the entity’s objectives, determining how risks will be handled.  There are four policies relating to Risk Assessment: (Soske, S. E, 2013)

  1. The organization defines goals with enough certainty to allow the description and evaluation of risks associating to objectives.
  2. The organization distinguishes risks to the success of its goals across the entity and examines risks as a reason for concluding how the risks should be handled.
  3. The organization analyzes the possibility of fraud in evaluating risks to the success of purposes.
  4. The organization recognizes and evaluates modifications that could notably affect the system of internal control.

Monitoring activities are mostly separate evaluations, activity evaluations and the mixture of two is controlled by the different parts of the internal control.  Two policies regarding Monitoring Activities are: (Soske, S. E, 2013)

  1. The organization selects, produces, and conducts continuous separate evaluations to resolve whether the parts of internal control are in working condition or not.
  2. The organization decides and communicates with internal control that requires a proper way to communicate with those companies which are responsible for taking corrective action, including directors and senior management.

Policies would be the high-level papers that would strengthen our organization level information security policy. Procedures would have more detail, but would not be an operational process document. Policies and procedures would be substantial requirements that must be met. “The structure of policy information is given as: 

  1. Acceptable Use Policy
  2. Frequently Asked Questions
  3. Email Security Procedure
  4. Email Security Guidelines ß
  5. Instant Messaging Procedure” (VanCura, L. , 2005)

The security frameworks provided by NIST (SP 800-53), ISO / IEC 27000 series and COBIT provided you the laws and regulations in which the security policies should be followed. By studying these regulations in the connection of security policies, you can recognize how they can be avoided. (Johnson, 2011)

The seven domains in developing an effective IT Security Policy Framework are: User, Workstation, LAN, WAN, LAN-to-Wan, Remote Access, System Application are managed. (Johnson, 2011). Each domain has unique functions for the data quality and handling. The following individuals analyze the challenge with the security group to ensure data quality in business:

  • Data administrators
  • Data security administrators
  • Data stewards
  • Head of information management
  • Data custodians

Implementing a governance framework can allow the organization to identify and mitigate risks in an orderly fashion. The IT Security Policy Framework provides the ability to estimate the risk as:

  • In the context of how well the organization has achieved leading practices.
  • In the context of how much of the organization’s risk is covered by the resulting implemented controls. (Johnson, 2011)

            A well-defined governance and compliance framework gives a structured way. To implement the policy control design methods, the framework should specify the mapping to significant laws and regulations. E.g. Sarbanes-Oxley (SOX) Act.

After studying of this analysis, I will face organization’s IT Staff to evaluate my finding.  After evaluation of the fields of the policies, the framework would be presented to senior officials.  Once the senior officials and CIO have passed or changes made, the policy will then be implemented.



Johnson, R., & Merkow, M. S. (2011). Security policies and implementation issues. Sudbury, MA: Jones & Bartlett Learning.

Soske, S. E., & Martens, F. J. (2013, May). COSO, Committee of Sponsoring Organization of the Treadway Commission, 2011, “Internal Control – Integrated Framework “, American Institute of Certified Public Accountants, Durham, NC. Retrieved January 29, 2016, from 

VanCura, L. (2005, January 20). SANS Institute InfoSec Reading Room. Retrieved January 29, 2016, from