Who is responsible for securing an organization’s information? The Research and Evaluation department? Not exactly. The Management Information System (MIS) staff? Wrong again. It is not only individual employees or departments that are responsible for the security of confidential information, but also the institution itself. It is, therefore, incumbent upon top administrators, who are charged with protecting the institution’s best interests, to ensure that an appropriate and effective security policy is developed and put into practice throughout the organization.

read closely! While policies themselves do not solve problems, and in fact can complicate things unless they are written and observed, the policy does define the ideal toward which all organizational efforts should point. Security policy refers to clear, comprehensive, and well-defined plans, rules, and practices that regulate access to an organization’s system and the information included in it. A good policy protects not only information and systems but also individual employees and the organization. It also serves as a prominent statement to the outside world about the organization’s commitment to security.