Ch. 4 Information Security Policy
Standard
More detailed statement of what must be done to comply with policy. Are built on sound policy and carry the weight of policy.
System-specific security policies
Often function as standards or procedures to be used when configuring or maintaining systems.
Information Security Policies
Written instructions, provided by management, to inform employees and others in the workplace of the proper behavior regarding the use of information and information assets.
(3) Types of InfoSec Policy
-Enterprise Information Security Policy (EISP_ -Issue-Specific Security Policies (ISSP) -System-specific security policies (SysSP)
Rules when shaping a policy:
-Policy should never conflict with law -Policy must be able to stand up in court if challenged -Policy must be properly supported and administered
Guidelines for Effective Policy
1. Developed using industry-accepted practices 2. Distributed using all appropriate methods 3. Read by all employees 4. Understood by all employees 5. Formally agreed to by act or affirmation 6. Uniformally applied and enforced
Policy
A plan or course of action, as of a government, political party, or business, intended to influence and determine decisions, actions, and other matters. Policies comprise a set of rules that dictate acceptable and unacceptable behavior within an organization.
Practices, Procedures and Guidelines
Explain how employees are to comply with policy. Include detailed steps required to meet the requirements of standards.
Access Control Lists (ACLs)
Include the user access lists, matrices, and capability tables that govern the rights and privileges of users. Regulate the following aspects of access: -Who can use the system -What authorized users can access -When authorized users can access the system -Where authorized users can access the system from -How authorized users can access the system
Issue-specific security policy (ISSP)
Provides detailed, targeted guidance to instruct all members of the organization in the use of a resource, such as a process or a technology employed by the organization.
Examples of user privileges (aka permissions)
Read, write, execute, delete
Enterprise Information Security Policy (EISP)
Sets the strategic direction, scope, and tone for all of an organization's security efforts.