Nformation Ecurity Olicy: Hapter
Nformation Ecurity Olicy: Hapter
Nformation Ecurity Olicy: Hapter
CHAPTER
Objectives
Upon completion of this material you should be able to:
Define information security policy and understand its central role in a successful information security program Describe the three major types of information security policy and explain what goes into each type Develop, implement, and maintain various types various types of information security policies
Management of Information Security, 3rd ed.
Introduction
Policy is the essential foundation of an effective information security program
The success of an information resources protection program depends on the policy generated, and on the attitude of management toward securing information on automated systems
Policy maker sets the tone and emphasis on the importance of information security
Management of Information Security, 3rd ed.
Introduction (contd.)
Policy objectives
Reduced risk Compliance with laws and regulations Assurance of operational continuity, information integrity, and confidentiality
Why Policy?
A quality information security program begins and ends with policy Policies are the least expensive means of control and often the most difficult to implement Basic rules for shaping a policy
Policy should never conflict with law Policy must be able to stand up in court if challenged Policy must be properly supported and administered
Management of Information Security, 3rd ed.
Practices
Procedures and guidelines explain how employees will comply with policy
EISP Elements
EISP documents should provide:
An overview of the corporate philosophy on security Information about information security organization and information security roles
Responsibilities for security that are shared by all members of the organization Responsibilities for security that are unique to each role within the organization
Indemnifies the organization against liability for an employees inappropriate or illegal system use
Violations of policy
Procedures for reporting violations Penalties for violations
Management of Information Security, 3rd ed.
Limitations of liability
Statements of liability or disclaimers
The former is an exercise in project management, while the latter requires adherence to good business practices
Management of Information Security, 3rd ed.
Policy Comprehension
Automated Tools
SP 800-18 Rev.1: Guide for Developing Security Plans for Federal Information Systems
NIST Special Publication 800-18, Rev. 1 reinforces a business process-centered approach to policy management Policies are living documents
These documents must be properly disseminated (distributed, read, understood and agreed to), and managed
SP 800-18 Rev.1: Guide for Developing Security Plans for Federal Information Systems (contd.)
Good management practices for policy development and maintenance make for a more resilient organization Policy requirements
An individual responsible for reviews A schedule of reviews
SP 800-18 Rev.1: Guide for Developing Security Plans for Federal Information Systems (contd.)
Policy requirements (contd.)
A method for making recommendations for reviews An indication of policy and revision date
Summary
Introduction Why Policy? Enterprise Information Security Policy Issue-Specific Security Policy System-Specific Policy Guidelines for Policy Development