Information Security Policy Development for Management By Peter McCarthy.

Slides:



Advertisements
Similar presentations
Managing Media Development Services Chapter 7 Christy Cates ETEC 579 Yeah Media Development Services!!!!
Advertisements

Radiopharmaceutical Production
USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.
What is GARP®? GARP® is an Acronym for Generally Accepted Recordkeeping Principles ARMA understands that records must be.
Information Security Policy
information Security Blueprint
Information Security Policy
Agenda COBIT 5 Product Family Information Security COBIT 5 content
The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.
Developing Information Security Policy. Why is Developing Good Security Policy Difficult? Effective Security/IA Policy is more than locking doors and.
Chapter 29 Ethics in Accounting
Each problem that I solved became a rule which
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
First Practice - Information Security Management System Implementation and ISO Certification.
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Risk Management Vs Risk avoidance William Gillette.
Philippe LE TERTRE IS Governance Consultant  Founder and managing partner of VADEGIS (company specialized in Information System Management.
Security Policies Group 1 - Week 8 policy for use of technology.
Information Security Policy
Chapter 7 Database Auditing Models
Complying With The Federal Information Security Act (FISMA)
CSE 4482: Computer Security Management: Assessment and Forensics
A SOUND INVESTMENT IN SUCCESSFUL VR OUTCOMES FINANCIAL MANAGEMENT FINANCIAL MANAGEMENT.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
3 Security Policies, Standards, and Planning
Guide to Firewalls and VPNs, 3rd Edition
CMGT400 Intro to Information Assurance and Security (University of Phoenix) Lecture, Week 4 Tom Olzak, MBA, CISSP.
A Security Training Program through Transformational Leadership and Practical Approaches Tanetta N. Isler Federal Information Systems Security Educators’
Postgraduate Educational Course in radiation protection and the Safety of Radiation sources PGEC Part IV The International System of Radiation Protection.
ITC358 ICT Management and Information Security
TEL2813/IS2820 Security Management

MANAGEMENT of INFORMATION SECURITY Second Edition.
MANAGEMENT of INFORMATION SECURITY Third Edition C HAPTER 4 I NFORMATION S ECURITY P OLICY Each problem that I solved became a rule which served afterwards.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 7 Database Auditing Models.
FOURTH EUROPEAN QUALITY ASSURANCE FORUM "CREATIVITY AND DIVERSITY: CHALLENGES FOR QUALITY ASSURANCE BEYOND 2010", COPENHAGEN, NOVEMBER IV FORUM-
Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.
Environmental Management System Definitions
IT Incident Response The goals How to achieve this Policies Standards Architecture People Process & Technology What can we really.
Permitting and Inspection. 1. When is decentralization effective? Delegate most permit writing and inspection functions to lowest possible level to effectively.
MANAGEMENT of INFORMATION SECURITY Third Edition C HAPTER 4 I NFORMATION S ECURITY P OLICY Each problem that I solved became a rule which served afterwards.
Session 8 Confidentiality and disclosure. 1 Contents Part 1: Introduction Part 2: The duty of confidentiality Part 3: The duty of disclosure Part 4: Confidentiality.
International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.
CC3020N Fundamentals of Security Management CC3020N Fundamentals of Security Management Lecture 4 Security Policy, Standard, and Practices.
ARTICULATING YOUR COMPANY’S POLICIES. Welcome to Articulating Your Policies! You are now in a lesson that will help you articulate those policies that.
Generally Accepted Recordkeeping Principles Generally Accepted Recordkeeping Principles ® Registered Trademark of ARMA International.
Chapter 8 Auditing in an E-commerce Environment
Information Security Policy
ICAJ/PAB - Improving Compliance with International Standards on Auditing Planning an audit of financial statements 19 July 2014.
Chapter 5 Planning. Setting goals and deciding how to achieve them. Coping with uncertainty by formulating future courses of action to achieve specified.
Slide 1 INFORMATION SECURITY POLICY  ” Avoiding danger is no safer in the long run than exposure”. Helen Keller  “Anyone who has never made a mistake,
1.  1. Introduction  2. Policy  3. Why Policy should be developed.  4. www policies 2.
Enterprise Architectures Course Code : CPIS-352 King Abdul Aziz University, Jeddah Saudi Arabia.
Security Methods and Practice Principles of Information Security, Fourth Edition CET4884 Planning for Security Ch5 Part I.
SUNY Maritime Internal Control Program. New York State Internal Control Act of 1987 Establish and maintain guidelines for a system of internal controls.
 P lanning is an intellectual process, consicous determination of courses of action, the basing of decisions on purpose, facts and considered estimates.
ISO 37001: Anti-Bribery Management System Standard
Information Security Policy
IS4680 Security Auditing for Compliance
MANAGEMENT of INFORMATION SECURITY, Fifth Edition
Internal and Governmental Financial Auditing and Operational Auditing
IS4680 Security Auditing for Compliance
Training Course on Integrated Management System for Regulatory Body
Privacy Project Framework & Structure
Job Analysis CHAPTER FOUR Screen graphics created by:
Cyber security Policy development and implementation
Nature and Concept of Management
Radiopharmaceutical Production
Presentation transcript:

Information Security Policy Development for Management By Peter McCarthy

Brief Overview Why Policy? Why Policy? What Is Policy? What Is Policy? Basic Rules For Policy Development Basic Rules For Policy Development 3 Types Of Policy 3 Types Of Policy Using SecSDLC Using SecSDLC Complying With Policy Complying With Policy Policies, Standards, & Practices Policies, Standards, & Practices

Why Policy? The centrality of information security policies to virtually everything that happens in the information security field is increasingly evident. The centrality of information security policies to virtually everything that happens in the information security field is increasingly evident. An effective information security training and awareness effort cannot be initiated without writing information security policies because policies provide the essential content that can be utilized in training and awareness material. An effective information security training and awareness effort cannot be initiated without writing information security policies because policies provide the essential content that can be utilized in training and awareness material. Properly developed and implemented policies enable the information security program to function almost seamlessly within the workplace. Properly developed and implemented policies enable the information security program to function almost seamlessly within the workplace.

The Bulls-eye Model

What Is Policy? Policy is a plan or course of action, as of a government, political party, or business, intended to influence and determine decisions, actions, and other matters Policy is a plan or course of action, as of a government, political party, or business, intended to influence and determine decisions, actions, and other matters Policies comprise a set of rules that dictates acceptable and unacceptable behavior within an organization Policies comprise a set of rules that dictates acceptable and unacceptable behavior within an organization Policies must also specify the penalties for unacceptable behavior and define an appeal process Policies must also specify the penalties for unacceptable behavior and define an appeal process

Basic Rules for Policy Development Set the information resource security policy for the organization with the objectives of reduced risk, compliance with laws and regulations and assurance of operational continuity, information integrity, and confidentiality. Set the information resource security policy for the organization with the objectives of reduced risk, compliance with laws and regulations and assurance of operational continuity, information integrity, and confidentiality. Policy must be able to stand up in court, if challenged. Policy must be able to stand up in court, if challenged. Policy must be properly supported and administered. Policy must be properly supported and administered.

Basic Rules For Policy Development (cont.) All policies must contribute to the success of the organization. All policies must contribute to the success of the organization. Management must ensure the adequate sharing of responsibility for proper use of information systems. Management must ensure the adequate sharing of responsibility for proper use of information systems. End users of information systems should be involved in the steps of policy formulation. End users of information systems should be involved in the steps of policy formulation.

3 Types of Policy Enterprise information security program policy Enterprise information security program policy Issue-specific security policies Issue-specific security policies System-specific security policies System-specific security policies

Enterprise Information Security Policy (EISP) The EISP sets the strategic direction, scope, and tone for all of an organization’s security efforts The EISP sets the strategic direction, scope, and tone for all of an organization’s security efforts It assigns responsibilities for the various areas of information security, including maintenance of information security policies and the practices and responsibilities of end users It assigns responsibilities for the various areas of information security, including maintenance of information security policies and the practices and responsibilities of end users It guides the development, implementation, and management requirements of the information security program It guides the development, implementation, and management requirements of the information security program It must directly support the organization’s vision and mission statements It must directly support the organization’s vision and mission statements It must be defensible if legal challenges to it arise It must be defensible if legal challenges to it arise

Issue-Specific Security Policy (ISSP) The ISSP provides detailed, targeted guidance to instruct all members of the organization in the use of technology-based systems The ISSP provides detailed, targeted guidance to instruct all members of the organization in the use of technology-based systems It is not to establish a legal foundation for persecution or prosecution, but rather to provide a common understanding of the purposes for which an employee can and cannot use the technology It is not to establish a legal foundation for persecution or prosecution, but rather to provide a common understanding of the purposes for which an employee can and cannot use the technology The ISSP serves to protect both the employee and the organization from inefficiency and ambiguity The ISSP serves to protect both the employee and the organization from inefficiency and ambiguity

System-Specific Security Policy (SysSSP) SysSSPs often function as standards or procedures to be used when configuring or maintaining systems SysSSPs often function as standards or procedures to be used when configuring or maintaining systems SysSSPs can be separated into two general groups, management guidance and technical specifications, or they may combine these two types of SysSP content into a single policy document SysSSPs can be separated into two general groups, management guidance and technical specifications, or they may combine these two types of SysSP content into a single policy document

Using a Secure Systems Development Life Cycle (SecSDLC) Investigation Phase Investigation Phase Analysis Phase Analysis Phase Design Phase Design Phase Implementation Phase Implementation Phase Maintenance Phase Maintenance Phase

Complying With Policy A standard is a more detailed statement of what must be done to comply with policy A standard is a more detailed statement of what must be done to comply with policy Practices, procedures, and guidelines explain how employees are to comply with policy Practices, procedures, and guidelines explain how employees are to comply with policy

Policies, Standards, & Practices

Brief Summary Why Policy? Why Policy? What Is Policy? What Is Policy? Basic Rules For Policy Development Basic Rules For Policy Development 3 Types Of Policy 3 Types Of Policy Using SecSDLC Using SecSDLC Complying With Policy Complying With Policy Policies, Standards, & Practices Policies, Standards, & Practices

Sources Whitman, Michael E., and Herbert J. Mattord. Management of Information Security. Canada: Course Technology, Whitman, Michael E., and Herbert J. Mattord. Management of Information Security. Canada: Course Technology,

Any Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.