Scribd
Upload
46 views4 pages

3.1 Information Security Policies: Misuse, Unauthorized Disclosure or Modification

Uploaded by

ADITYA SINGH

Information security policies are the foundation of an organization's security infrastructure and are intended to protect companies from lawsuits, lost revenue, and bad publicity. They describe the security controls that will be implemented at a high level and reduce legal liability, protect confidential information, and prevent waste. Security policies should determine rules for encryption, access control, authentication, firewalls, anti-virus systems, websites, and more. The objective is to guide the use of systems and reduce risks to information assets. A security policy provides a consistent application of security principles and is a reference for matters of security.

Copyright:

© All Rights Reserved
Download as DOCX, PDF, TXT or read online from Scribd
Download as docx, pdf, or txt

3.1 Information Security Policies: Misuse, Unauthorized Disclosure or Modification

Uploaded by

ADITYA SINGH
46 views4 pages
Information security policies are the foundation of an organization's security infrastructure and are intended to protect companies from lawsuits, lost revenue, and bad publicity. They describe the security controls that will be implemented at a high level and reduce legal liability, protect confidential information, and prevent waste. Security policies should determine rules for encryption, access control, authentication, firewalls, anti-virus systems, websites, and more. The objective is to guide the use of systems and reduce risks to information assets. A security policy provides a consistent application of security principles and is a reference for matters of security.

Original Description:

sc s s s c c d d dd d dfvsvsvsvsvsvssd

Original Title

FALLSEM2020-21_CSE3501_ETH_VL2020210102628_Reference_Material_I_20-Aug-2020_ISAA_MOD3-3.1 (2)

Copyright

© © All Rights Reserved

Available Formats

DOCX, PDF, TXT or read online from Scribd

Did you find this document useful?

Is this content inappropriate?

Information security policies are the foundation of an organization's security infrastructure and are intended to protect companies from lawsuits, lost revenue, and bad publicity. They describe the security controls that will be implemented at a high level and reduce legal liability, protect confidential information, and prevent waste. Security policies should determine rules for encryption, access control, authentication, firewalls, anti-virus systems, websites, and more. The objective is to guide the use of systems and reduce risks to information assets. A security policy provides a consistent application of security principles and is a reference for matters of security.

Copyright:

© All Rights Reserved
Download as DOCX, PDF, TXT or read online from Scribd
Download as docx, pdf, or txt
46 views4 pages

3.1 Information Security Policies: Misuse, Unauthorized Disclosure or Modification

Uploaded by

ADITYA SINGH
Information security policies are the foundation of an organization's security infrastructure and are intended to protect companies from lawsuits, lost revenue, and bad publicity. They describe the security controls that will be implemented at a high level and reduce legal liability, protect confidential information, and prevent waste. Security policies should determine rules for encryption, access control, authentication, firewalls, anti-virus systems, websites, and more. The objective is to guide the use of systems and reduce risks to information assets. A security policy provides a consistent application of security principles and is a reference for matters of security.

Copyright:

© All Rights Reserved
Download as DOCX, PDF, TXT or read online from Scribd
Download as docx, pdf, or txt
You are on page 1/ 4

3.

1 Information Security Policies

 Security policies - foundation of security infrastructure - protect


company from possible lawsuits, lost revenue and bad publicity
 A security policy is a document or set of documents that describes
o at a high level, the security controls that will be implemented
by the company.
 Policies are not technology specific and do three things for an
organization:
o Reduce or eliminate legal liability to employees and third
parties.
o Protect confidential, proprietary information from theft,
misuse, unauthorized disclosure or modification.
o Prevent waste of company computing resources.

 Organisations are giving more priority to development of information


security policies
 Lack of clarity in InfoSec policies can lead to catastrophic damages
which cannot be recovered.
 An information security policy provides management direction and
support for information security across the organisation.

There are two types of basic security policies:


Technical security policies: these include how technology should be
configured and used.
Administrative security policies: these include how people (both
end users and management) should behave/ respond to security.

Persons responsible for the implementation of the security policies are:


Director of Information Security
Chief Security Officer
Director of Information Technology
Chief Information Officer

 Information in an organisation will be both electronic and hard copy,


and this information needs to be secured properly against the
consequences of breaches of confidentiality, integrity and availability.
 Proper security measures need to be implemented to control and
secure information from unauthorised changes, deletions and
disclosures.
 To find the level of security measures that need to be applied, a risk
assessment is mandatory.
 Security policies are intended to define what is expected from
employees within an organisation with respect to information systems.
 The objective is to guide or control the use of systems to reduce the
risk to information assets. It also gives the staff who are dealing with
information systems an acceptable use policy, explaining what is
allowed and what not. Security policies of all companies are not same,
but the key motive behind them is to protect assets. Security policies
are tailored to the specific mission goals.

A security policy should determine rules and regulations for the


following systems:

Encryption mechanisms

Access control devices

Authentication systems

Firewalls

Anti-virus systems

Websites

Gateways

Routers and switches

Necessity of a security policy

A security policy is that plan that provides for the consistent application of
security principles throughout your company. After implementation, it
becomes a reference guide when matters of security arise.

Lastly, one of the most common reasons why companies create security
policies today is to fulfill regulations and meet standards that relate to
security of digital information.

Once the security policy is implemented, it will be a part of day-to-day


business activities. Security policies that are implemented need to be
reviewed whenever there is an organizational change. Policies can be
monitored by depending on any monitoring solutions like SIEM and the
violation of security policies can be seriously dealt with. There should also
be a mechanism to report any violations to the policy.

Below is a list of some of the security policies that an organization may


have:

Access Control Policy How information is accessed

Contingency Planning How availability of data is made online 24/7


Policy

Data Classification
Policy How data are classified

How changes are made to directories or the file


Change Control Policy server

How wireless infrastructure devices need to be


Wireless Policy configured

Incident Response
Policy How incidents are reported and investigated

Termination of Access
Policy How employees are terminated

Backup Policy How data are backed up

Virus Policy How virus infections need to be dealt with

Retention Policy How data can be stored

Physical Access Policy How access to the physical area is obtained

Security Awareness
Policy How security awareness are carried out

Audit Trail Policy How audit trails are analyzed

Firewall Policy How firewalls are named, configured etc.

Network Security Policy How network systems can be secured

How data are encrypted, the encryption method


Encryption Policy used etc.

Promiscuous Policy Firewall Management Policy


Others
Permissive Policy

Special Access Policy


Prudent Policy Network Connection Policy

Paranoid Policy

Network Business Partner Policy

Acceptable Use Policy

User Account Policy

Data Classification Policy

Intrusion Detection Policy

Remote Access Policy

Virus Prevention Policy

Information Protection Policy

Laptop Security Policy

Personal Security Policy

Cryptography Policy

You might also like