Home | | Information Security | Information Security Policy

Chapter: Information Security : Logical Design

Information Security Policy

Creation of information security program begins with creation and/or review of organization’s information security policies, standards, and practices





ü Creation of information security program begins with creation and/or review of organization’s information security policies, standards, and practices

ü Then, selection or creation of information security architecture and the development and use of a detailed information security blueprint creates plan for future success

ü Security education and training to successfully implement policies and ensure secure environment

Why Policy?


ü A quality information security program begins and ends with policy


ü Policies are least expensive means of control and often the most difficult to implement


ü Some basic rules must be followed when shaping a policy:


–   Never conflict with law


–   Stand up in court


–   Properly supported and administered


–   Contribute to the success of the organization


–   Involve end users of information systems




· Policy: course of action used by an organization to convey instructions from management to those who perform duties


–   Organizational rules for acceptable/unacceptable behavior


–   Penalties for violations


–   Appeals process


· Standards: more detailed statements of what must be done to comply with policy

· Practices, procedures and guidelines effectively explain how to comply with policy


· For a policy to be effective it must be


–   Properly disseminated


–   Read


–   Understood


–   Agreed to by all members of organization



-               Types of Policies


            Enterprise information Security program Policy(EISP)


            Issue-specific information Security Policy ( ISSP)


            Systems-specific information Security Policy (SysSP)


1.Enterprise Information Security Policy (EISP)


     Also Known as a general Security policy, IT security policy, or information security policy.

     Sets strategic direction, scope, and tone for all security efforts within the organization

     Assigns responsibilities to various areas of information security

     Guides development, implementation, and management of information security program


2.Issue-Specific Security Policy (ISSP)


1.   The ISSP:

–   Addresses specific areas of technology

–   Requires frequent updates

–   Contains statement on position on specific issue

2.    Approaches to creating and managing ISSPs:

–   Create number of independent ISSP documents

–   Create a single comprehensive ISSP document

–   Create a modular ISSP document

3.    ISSP topics could include:

E-mail, use of Web, configurations of computers to defend against worms and viruses, prohibitions against hacking or testing organisation security controls, home use of company-owned computer equipment, use of personal equipment on company networks, use of telecommunications technologies(FAX and phone), use of photocopiers


Components of the ISSP


4.4.4  Statement of Policy

–   Scope and Applicability

–   Definition of Technology Addressed


–   Responsibilities


1.     Authorized Access and Usage of Equipment

–   User Access

–   Fair and Responsible Use

–   Protection of Privacy

2. Prohibited Usage of Equipment

–   Disruptive Use or Misuse

–   Criminal Use

–   Offensive or Harassing Materials

–   Copyrighted, Licensed or other Intellectual Property

–   Other Restrictions

3. Systems Management

–   Management of Stored Materials

–   Employer Monitoring

–   Virus Protection

–   Physical Security

–   Encryption

4. Violations of Policy

–   Procedures for Reporting Violations

–   Penalties for Violations

5.  Policy Review and Modification

–   Scheduled Review of Policy and Procedures for Modification

6.  Limitations of Liability

–   Statements of Liability or Disclaimers


3.Systems-Specific Policy (SysSP)


6.    SysSPs are frequently codified as standards and procedures to be used when configuring or maintaining systems

7.   Systems-specific policies fall into two groups:

8.   Access control lists (ACLs) consist of the access control lists, matrices, and capability tables governing the rights and privileges of a particular user to a particular system

9.   Configuration rules comprise the specific configuration codes entered into security systems to guide the execution of the system


ACL Policies


   Both Microsoft Windows NT/2000 and Novell Netware 5.x/6.x families of systems translate ACLs into sets of configurations that administrators use to control access to their respective systems

   ACLs allow a configuration to restrict access from anyone and anywhere

   ACLs regulate:

–   Who can use the system

–   What authorized users can access

–   When authorized users can access the system

–   Where authorized users can access the system from

–   How authorized users can access the system



   It is the basis for the design, selection, and implementation of all security policies, education and training programs, and technological controls.

   More detailed version of security framework, which is an outline of overall information security strategy for organization and a road map for planned changes to the information security environment of the organization.

   Should specify tasks to be accomplished and the order in which they are to be realized.


   Should also serve as a scalable, upgradeable, and comprehensive plan for the information security needs for coming years.

Study Material, Lecturing Notes, Assignment, Reference, Wiki description explanation, brief detail
Information Security : Logical Design : Information Security Policy |

Privacy Policy, Terms and Conditions, DMCA Policy and Compliant

Copyright © 2018-2023 BrainKart.com; All Rights Reserved. Developed by Therithal info, Chennai.