01202 006 464
learndirectPathways

Controlling Organisational IT Security: Policies and Procedures

Podcast episode 27: Controlling Organisational IT Security: Policies and Procedures. Alex and Sam explore key concepts from the Pearson BTEC Higher Nationals in Computing. Full transcript included.

Series: HTQ Computing: The Study Podcast  |  Module: Unit 5: Security  |  Episode 27 of 80  |  Hosts: Alex with Sam, Computing Specialist
Key Takeaways
  • Acceptable use policies define how employees may and may not use organisational IT resources, providing a clear framework for expected behaviour.
  • Access control frameworks such as Role-Based Access Control ensure that users can only access the data and systems they need for their role.
  • Regular security audits and penetration tests identify weaknesses in an organisation's controls before attackers can exploit them.
  • Staff security awareness training is one of the most cost-effective security investments an organisation can make, reducing the risk of human error.
  • Incident response procedures define what to do when a security incident occurs, enabling a faster and more effective organisational response.
Listen to This Episode

Listen to the full episode inside the course. Enrol to access all 80 episodes, plus assignments, tutor support and Student Finance funding.

Start learning →
Full Transcript

Alex: Today we're looking at how organisations control IT security through policies and procedures. Sam, technology alone isn't enough, is it?

Sam: Far from it. The majority of successful cyber attacks exploit people rather than technology directly. Phishing emails that trick users into clicking links, employees using weak passwords, staff being social-engineered into revealing information they shouldn't: all of these are human problems, not purely technical ones. Policies, procedures, and training are the controls that address the human dimension of security.

Alex: What is an acceptable use policy?

Sam: An acceptable use policy, or AUP, is a document that sets out the rules for how employees may use organisational IT resources. It covers things like what software can be installed on company devices, how company data can be handled, whether personal use of company systems is permitted and to what extent, and the consequences of violating the policy. It provides clear expectations for employees and a legal basis for taking action when those expectations are violated.

Alex: What about access control policies?

Sam: Access control policies define who can access what. Role-Based Access Control, RBAC, is the most common framework: rather than assigning permissions to individual users, you assign permissions to roles, and then assign users to roles. A finance analyst role might have access to financial reports but not to HR records. When someone moves to a different role, you simply change their role assignment rather than individually adjusting dozens of permissions.

Alex: How do security audits fit in?

Sam: Security audits are periodic reviews of an organisation's security posture. They examine whether controls are in place, whether they're working effectively, and whether they're still appropriate given the current risk environment. Internal audits are conducted by the organisation's own staff or internal audit function; external audits are conducted by independent specialists and carry more credibility. The findings are used to prioritise security improvements.

Alex: Penetration testing is related to that?

Sam: Penetration testing, or pen testing, is a more active assessment where authorised ethical hackers attempt to breach the organisation's systems and defences. It provides a real-world test of whether controls work in practice, and often discovers vulnerabilities that no amount of documentation review would reveal. The output is a report of findings, typically prioritised by severity, that guides remediation efforts.

Alex: What role does staff training play?

Sam: An enormous one. Security awareness training teaches employees to recognise phishing emails, handle sensitive data correctly, use strong passwords, lock their screens when leaving their desk, and report suspicious activity. Even the most technically sophisticated security infrastructure can be undermined by an employee who clicks on a malicious link or shares a password over the phone. Regular, engaging training significantly reduces this human risk factor.

Alex: And what does an incident response procedure do?

Sam: It provides a clear playbook for what to do when a security incident occurs. Without it, the response to an incident is chaotic: people don't know their roles, evidence gets destroyed, communication is inconsistent, and the organisation takes much longer to contain and recover from the incident. A good incident response plan defines roles, communication channels, escalation paths, containment procedures, and recovery steps.

Alex: Brilliant. A comprehensive framework. Thanks Sam. Next we look at security governance and compliance.

Related content

curriculum

HTQ Computing: Full Curriculum

Explore the complete module and lesson structure for the Pearson BTEC Higher Nationals in Computing. 15 units, 80 lessons covering Programming paradigms and algorithms, Networking principles and protocols, Professional practice in computing and more.

podcast hub

HTQ Computing: The Study Podcast

Listen to 80 podcast episodes covering the Pearson BTEC Higher Nationals in Computing. Alex and Sam, a computing specialist, discuss every lesson from orientation through to advanced topics.

podcast episode

Welcome to Your HNC Computing: What to Expect

The Pearson BTEC Higher Nationals in Computing spans two qualification levels: Level 4 HNC and Level 5 HND, each building on the other.. The qualification comprises 15 units covering programming, networking, security, databases, professional practice, and emerging technologies.