Information Security Policies - The Legal Risk of Uninformed Personnel

Although the development and deployment of an effective information security infrastructure within the company is imperative to the success of the overall information security discipline, it will be a futile exercise if those people who are expected to maintain and monitor information security in the company do not know what is expected and demanded of them. The importance of information security policies can not be overemphasised as it may be the most cost-effective action a company may take against information security breaches and incidents. The employees of a company may be viewed as the first line of defense when it comes to the early detection of problems. Consequently, employees on all levels of the company must be made aware of the pivotal role security, and specifically information security plays within a company. They need certainty on what their responsibility for information security within the company is, and what will happen if they do not comply with their security duties. Put differently employees need to be told what they may and may not do with corporate information assets, resources and systems. Furthermore, it should be kept in mind that although traditionally information security was viewed by the board of directors and top management as a necessary evil, at present companies are being placed under increased pressure by means of new laws and regulations to ensure that information security is effectively implemented within the company. Consequently, if an information security breach or incident occurs because of the actions of an uninformed or negligent employee, the board of directors and top management may be held personally liable for the conduct of that employees. It is therefore imperative that the information security policy of the company is formulated correctly in order to limit a company’s potential legal liability for the negligent or even intentional acts of its employees.