CS5105 - Information Security
Assignment: Relationship of ICT policy and IT security policy
1. Why is it required to have an ICT policy prior to an IT security
ICT Policy and its IT Security Policy Why ICT Policy required
purpose and its purpose prior to IT Security Policy?
ICT Policy and Its Purpose
The Policy is a course of action adopted and pursued by a government, part ruler,
statesman, etc. It is the realm of those in power. These days, organizations should realize
that proper usage of IT not only ensures data confidentiality, but can also offer
competitive advantages. Policy is to be a guide for an organization is using ICT’s to
achieve overall development within organization and delivery of services. IT assists in
benchmarking each organization’s activities against the area which need attention and
where rectification needs to be carried out. IT policy basically includes information,
communication and technical issues
ICT policy generally covers three main areas: telecommunications (especially telephone
communications), broadcasting (radio and TV) and the internet. It may be national,
regional or international. Each level may have its own decision-making bodies,
sometimes making different and even contradictory policies.
Some of the important purposes of the ICT policy are listed below:
Source: [WWW1]: http://www.kantei.go.jp/foreign/it/security/2001/g2.html#3
• Increasing the benefits from information technology
• Helping people and organizations to adapt to new circumstances and providing
tools and models to respond rationally to challenges posed by ICT
• Providing information and communication facilities, services and management at
a reasonable or reduced cost
• Improving the quality of services and products
• Encouraging innovations in technology development, use of technology and
general work flows
• Promoting information sharing, transparency and accountability and reducing
bureaucracy within and between organizations, and towards the public at large
• Identifying priority areas for ICT development (areas that will have the greatest
positive impact on programmes, services and customers)
IT Security Policy and its purpose
The IT Security Policy is being documented to enhance the sense of security among the
organizations’ staff members, thus preventing any information from being used at the
personal discretion of those who handle it.
Some of the main purposes of the IT Security Policy have been listed below:
• Protect people and information
• Set the rules for expected behavior by users, system administrators, management,
and security personnel
• Authorize security personnel to monitor, probe, and investigate
• Define and authorize the consequences of violation
• Define the company consensus baseline stance o n security
• Help minimize risk
• Help track compliance with regulations and legislation Information security
policies provide a framework for best practice that can be followed by all
employees. They help to ensure risk is minimized and that any security incidents
are effectively responded to.
Why ICT Policy required prior to IT Security Policy?
As discussed above, ICT policy will build the disciplined foundation addressing
following ICT characteristics to build the IT Security policy top of it: Accessibility,
Transparency, Efficacy, Efficiency, Inter operational, Confidentiality, Integrity,
Availability, Accountability, Equity, Roles and Responsibilities and the like.
Furthermore, defining, stating and implementing ICT policy will guide the organization
with clear rules and regulations. This will facilitate the proper usage of computers, emails
and the internet, and eliminate the external threats and help preventing internal security
breaches. It will also improve the transparency and efficiency in its business. Enforcing
of IT security policy after the ICT policy will enable the prerequisites met and let enjoy
the better quality experience. IT Security policy also can be considered as the sub set of
2. In what way does the ICTA ICT policy help the organizations to
enable their services using information systems?
How ICT policy helps the
Introduction to ICTA and its organizations to enable their
Roles in Policy Making services using IS?
Introduction to ICTA and its Roles in Policy Making
The Information and Communication Technology Agency (ICTA) of Sri Lanka is the
single apex body involved in ICT policy and direction for the nation. Wholly owned by
the Government of Sri Lanka, ICTA is the implementing organization of the e-Sri Lanka
Initiative [WWW2: http://www.icta.lk].
Their vision is:
"To harness ICT as a lever for economic and social advancement by taking the dividends
of ICT to every village, to every citizen, to every business & to re-engineer the way
government thinks & works".
Roles of ICTA can be categorized into below:
• Development of ICT Human Resources
• Building the information infrastructure
• ICT investment and private sector development
• Creating an empowered knowledge based society
• Re engineering government delivering citizen services
How ICTA ICT policy helps the organizations to enable their services using IS?
In our country Sri Lanka, Information Systems are being looked as a threat to the most of
the organizations’ staffs because of the digital divide, non dissemination of ICT to their
regions and the like. Being ICTA as a government organization and being protected by
the ICT policy it increases the easiness in implementation and trustworthiness in IS.
Since it is available in all three languages, it made awareness of the policy from top to
bottom of the staffs’ level. And also ICTA ICT policy enables organizations being able to
work together more easily, electronically and information being reusable from one
agency to another.
ICTA as an autonomous agency, government owned but with a more flexible ‘private
sector style’ mode of operation, and attracting Sri Lankan professionals including some
from overseas, has helped ICTA to meet and successfully overcome major obstacles to
progress, which would have brought any other institution to a grinding halt.
Barely two and a half years old, ICTA is already showing remarkable agility and ability
to respond to the ever changing environment,and has made extremely satisfactory
progress to date. This has served to simply underline the importance of building local
capacity to drive complex initiatives of this nature
ICTA manages to retain core staff and when this is not possible, ensure the institutional
learning mechanisms are in place to allow as smooth a transition as possible.
It further enabled in infrastructure development, cost savings in service delivery,
purchasing, communication, etc, electronic commerce and secure transactions and
development of technological standards in the organizations.
3. What are the shortcomings in the ICTA ICT policy?
• The ICT policy has been built based on large amount of assumptions such as,
o certain required skills already available in the local private sector
o local private sector and NGOs would gear up to add capacity and skill sets
o anticipating the organizations from across the different sectors would look
to establish partnerships with one another to address the diverse needs of
went false and wrong. Hence ICTA policy is not yet powerful.
• Policy has been built by prevailing laws and regulation in the country, this
enabled the limitations in the policy
• Enough infrastructures have not developed as it necessary, hence implementation
of the policy fully is a major problem
• Digital dived in the country.
• Policies for data managing system haven’t been incorporated
• IT literacy rate of the country is law.
• It is not yet accepted in national level
• Low awareness of the citizen.
• Political influences.
• Low caring of government organization.
4. What difficulties would the organizations face in implementing
Difficulties in Enforcing the
Understanding of ISO27000 Standard
Understanding of ISO27000 Standard (From the Material: International Standard,
ISO/IEC 27000, last updated- 2009/05/01)
ISO/IEC 27000 is part of a growing family of ISO/IEC Information Security
Management Systems (ISMS) standards, the 'ISO/IEC 27000 series'. ISO/IEC 27000 is a
new international standard entitled: "Information technology - Security techniques -
Information security management systems - Overview and vocabulary". The standard is
known informally, if incorrectly, as "ISO 27000". The standard was developed by sub-
committee 27 (SC27) of the first Joint Technical Committee (JTC1) of the International
Organization for Standardization and the International Electrotechnical Commission.
ISO/IEC 27000 provides: * An overview of and introduction to the entire ISO/IEC 27000
family of Information Security Management Systems (ISMS) standards; and * A glossary
or vocabulary of fundamental terms and definitions used throughout the ISO/IEC 27000
family. Information security, like many technical subjects, is evolving a complex web of
terminology. Relatively few authors take the trouble to define precisely what they mean,
an approach which is unacceptable in the standards arena as it potentially leads to
confusion and devalues formal assessment and certification. As with ISO 9000 and ISO
14000, the base '000' standard is intended to address this.
Difficulties in Enforcing the Standard
• This standard is an enhancement to the usual British standard. Hence, this is much
more focused on British organizations and people.
• Implementation needs below prerequisites to be satisfied. This increases the
burden to the organizations.
o Awareness of the need for information security
o Assignment of responsibility for information security
o Incorporating management commitment and the interests of stakeholders
o Enhancing societal values
o Risk assessments determining appropriate controls to reach acceptable
levels of risk
o Security incorporated as an essential element of information networks and
o Active prevention and detection of information security incidents
o Ensuring a comprehensive approach to information security management
o Continual reassessment of information security and making of
modifications as appropriate
• High cost factor involved in all the below pre and post implementation activities:
o Purchase the Standard
o Consider Training
o Assemble a team and agree your strategy
o Review Consultancy Options
o Undertake a Risk Assessment
o Develop a Policy Document
o Develop Supporting Literature
o Choose a registrar
o Implement your Information Security Management System
o Gain registration
o Continual assessment
• Risks and overheads involved in standard implementations for SMEs
o Lack of alignment of the information security policy, objectives, and
activities against the organizational objectives
o Lack of professional approach and framework for designing,
implementing, monitoring, maintaining, and improving information
security consistent with the organizational culture
o Lack of visible support and commitment from all levels of management,
especially top management
o Lack of understanding of information asset protection requirements
achieved through the application of information security risk management
o Lack of information security awareness, training & education for the
o Lack of information conveyance to all employees and other relevant
parties of their information security obligations set forth in the information
security policies, standards and motivating them to act accordingly
o Absence of information security incident management process
o Absence of effective business continuity management approach
o Absence of a measurement system used to evaluate performance in
information security management and feedback suggestions for