Chapter 4: Information Security Policy
Issue-specific Security Policy (ISSP)
An organizational policy that provides detailed, targeted guidance to instruct all members of the organization in the use of a resource, such as one of its processes or technologies.
Guidelines
Non-mandatory recommendations the employee may use as a reference in complying with a policy. If the policy states to "use strong passwords, frequently changed," the guidelines might advise that "we recommend you don't use family or pet names, or parts of your Social Security number, employee number, or phone number in your password
Procedures
Step-by-step instructions designed to assist employees in following policies, standards, and guidelines. if the policy states to "use strong passwords, frequently changed," the procedure might advise that "in order to change your password, first click on the windows start button, then..."
Information Security Policies
Written instructions provided by management that inform employees and others in the workplace about proper behavior regarding the use of information and information assets.
Standard
a detailed statement of what must be done to comply with policy, sometimes viewed as the rules governing policy compliance. if the policy states that employees must "use strong passwords, frequently changed," the standard might specify that the password "must be at least 8 characters, with at least one number, one letter, and one special character"
Practices
Examples of actions that illustrate compliance with policies. If the policy states to "use strong passwords, frequently changed," the practices might advise that "according to X, most organizations require employees to change passwords at least semiannually"
Policy
In business, a statement of managerial intent designed to guide and regulate employee behavior in the organization; in IT, a computer configuration specification used to standardize system and user behavior
System-Specific Security Policies (SysSPs)
Organizational policies that often function as standards or procedures to be used when configuring or maintaining systems. SysSPs can be separated into two general groups, managerial guidance and technical specifications, but may be written as a single unified SysSP document
Access Control Lists (ACLs)
Specifications of authorization that govern the rights and privileges of users to a particular information asset. Includes user access lists, matrices, and capability tables.
Enterprise Information Security Policy (EISP)
The high-level information security policy that sets the strategic direction, scope, and tone for all of an organizations security efforts. An EISP is also known as a security program policy, general security policy, IT security policy, high-level InfoSec policy, or simply an InfoSec policy
