Cyber security Policy development and implementation

Slides:



Advertisements
Similar presentations
ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.
Advertisements

Information Security Policies Larry Conrad September 29, 2009.
Information Security Policies and Standards
The 10 Deadly Sins of Information Security Management
Session 3 – Information Security Policies
SEC835 Database and Web application security Information Security Architecture.
Security Policies Jim Stracka The Problem Today.
Dr E Kritzinger – UNISA SACSAW Cyber Awareness Implementation Plan (CAIP) for schools.
1 CREATING A LEARNING ORGANIZATION AND AN ETHICAL ORGANIZATION STRATEGIC MANAGEMENT BUAD 4980.
Basics of OHSAS Occupational Health & Safety Management System
What Keeps You Awake at Night Compliance Corporate Governance Critical Infrastructure Are there regulatory risks? Do employees respect and adhere to internal.
SECURITY POLICIES Indu Ramachandran. Outline General idea/Importance of security policies When security policies should be developed Who should be involved.
INFORMATION SECURITY & RISK MANAGEMENT SZABIST – Spring 2012.
Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.
Environmental Management System Definitions
International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.
Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.
Prepared By: Razif Razali 1 TMK 264: COMPUTER SECURITY CHAPTER SIX : ADMINISTERING SECURITY.
Control and Security Frameworks Chapter Three Prepared by: Raval, Fichadia Raval Fichadia John Wiley & Sons, Inc
Copyright © Houghton Mifflin Company. All rights reserved.8-1 Chapter 8 Developing an Effective Ethics Program.
Business Continuity Planning 101
By: Mark Reed.  Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.
Security Methods and Practice Principles of Information Security, Fourth Edition CET4884 Planning for Security Ch5 Part I.
Project: EaP countries cooperation for promoting quality assurance in higher education Maria Stratan European Institute for Political Studies of Moldova.
Part of Legislative Tools and Other Means To Combat Electronic Crime.
© ITT Educational Services, Inc. All rights reserved. IS4680 Security Auditing for Compliance Unit 1 Information Security Compliance.
Security Management in Practice
Law Firm Data Security: What In-house Counsel Need to Know
CS457 Introduction to Information Security Systems
Information Security Policy
Physical Security Governance Model
CPA Gilberto Rivera, VP Compliance and Operational Risk
Risk management.
ISSeG Integrated Site Security for Grids WP2 - Methodology
MANAGEMENT of INFORMATION SECURITY, Fifth Edition
Chapter 8 – Administering Security
Disaster and Emergency Planning
MGMT 452 Corporate Social Responsibility
Developing an Effective Ethics Program
Issues regarding effective use of ICT resources
MANAGEMENT of INFORMATION SECURITY, Fifth Edition
Compliance with hardening standards
Understanding the Principles and Their Effect on the Audit
COMP3357 Managing Cyber Risk
OSG Computer Security Plans
Introduction to the Federal Defense Acquisition Regulation
GDPR Awareness and Training Workshop
HUMAN RESOURCE GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE
I have many checklists: how do I get started with cyber security?
Vision Facilitation Template
Bob Siegel President Privacy Ref, Inc.
Human Resources Competency Framework
The Privacy Cycle A Five-Step Process to Improve Your Privacy Culture
Malaysian Association of Company Secretaries
Where is Your Organization on the Accessibility Maturity Scale
RECORDS AND INFORMATION
Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.
Cybersecurity compliance for attorneys
Project Management Process Groups
Chapter 8 Developing an Effective Ethics Program
Importance of Law and Policies in the Environmental Management System
Cybersecurity ATD technical
The Elements of appropriate Internal Controls
IS Risk Management Framework Overview
HIPAA Compliance Services CTG HealthCare Solutions, Inc.
Role of State Audit Bureau of Kuwait in promoting and audit of IT Security  
SECURITY AND RISK MANAGEMENT CONSULTANT
Basic Systems Management Employing Security Policies
A. Šidlauskas Mykolas Romeris University (LITHUANIA)
Presentation transcript:

Cyber security Policy development and implementation by Erlan Bakiev, Ph.D.

Information security policy The development of an information security policy involves more than mere policy formulation and implementation. Unless organizations explicitly recognize the various steps required in the development of a security policy, they run the risk of developing a policy that is: poorly thought out incomplete redundant and irrelevant will not be fully supported by the users.

Major threats The analysis indicate that the major threat to organizations’ information security is caused by careless insider employees who intentionally or unintentionally misuse the information assents So: What processes organizations should follow in the developing an effective information security policy? This class defines a model for the Formulation Implementation Enforcement of an information security policy in an organization

Insider employees The insider employees who intentionally or unintentionally misuse the information assents are among the top ranked threats in organizations Most e-crimes: Unauthorized access to corporate info 63 % Unintentional exposure of private or sensitive data 57% Virus, worms or other malicious code 37% Theft or intellectual property 32%

Challenges in developing policy The lack of guidance as to how to develop security policy contents (commercial policies) The processes of developing and implementing an information security policy Therefore, policy statements developed may not directly attributed to the risks they are designed to nullify.

Challenges in developing policy There is a gap in the current security policy development methods. The literature doesn’t offer comprehensive methodology or mechanisms that show in detail the process of developing an information security policy

Table 1: List of categories identified Category label Number of tags Cumulative 1. Information security policy construction 85 85 2. Management support 78 163 3.Information security policy compliance and

Risk assessment There are several steps in risk assessment: The assets that the organization needs to protect must be identified A list of all threats that can cause harm to the organizations’ assets is identified The likelihood of of threats that can cause exercising system vulnerability is determined The threats and vulnerabilities which cause a security failure and the associated impacts are assessed in terms of organization’s loss of integrity, availability and confidentiality The controls that must be implemented in order to mitigate the risks are identified

Information Security Policy Construction Activities of constructing a security policy: Directives from executive management with high level security policy These policies are transformed to organizational standards and guidelines Organizational standards are detailed statements of what should be done, not how to do it. The detailed information security policies are supported by lower level security policies also called procedures. Procedures provide the step-by-step detailed instructions of how to carryout requirements of an information security policy.

Information Security Policy Implementation Implementation is the most difficult part of this process. The The introduction of a new information security policy brings changes in the way employees behave in handling organizational information. The whole idea in implementation is to gain support from the organization’s community to accept changes. By educating and training Awareness Raise awareness of the responsibilities Emphasize recent actions against employees for security policy violations

Information Security Policy compliance and enforcement A number of theories have been developed underlying employees’ behavioral intention towards the compliance of information security policies. General Deterrence Theory (GDT) It predicts that the increase in the severity of punishment on those who violate the rules of the organization reduce some criminal acts Theory of Planned Behavior (TPB) It explains the intention of an individual to perform a given behavior (social pressures)

Information security policy monitoring, review and assessment The need to periodically or non-periodically review and update the security policy is indispensable to the organization. The information security policy should be evaluated and reviewed on regular basis to make sure that the latest threats, new regulations and government policies are kept up to date. An automated system of review scheduling which timely alerts when a major change to the existing security practices have occurred is advised

Management support The first step in composing a security policy is to get the top management’s opinions on how they understand security in the organization. Without executive support, policies are just words. To have meaning, they must be given the right priority and be enforced. Management plays key role in approving the policy and making sure that there is enough budget to cover all resources required.

Employee support Employee support consists of end-users who carry out different activities in an organization. The end-user community needs to be part of the development effort to ensure that the multidisciplinary nature of the organization is incorporated in the information security policy development process. The practice the information security policy requirements

International security standards International standards such as ISO 27002 are good starting point to implement the information security policy which therefore improves an organization’s information security. The idea of using international standards as a baseline framework because they increase trust with the organization’s stakeholders. An international security standard that has been approved by security experts can definitely provide the basis requirements to start developing an information security policy.

Regulations requirements The main reason to develop information security policy is to mitigate the various security risks that organizations face Organizations must first identify and understand all regulatory requirements that dictate the creation of such policies before writing the information security policy. It is necessary that organizations obtain legal advice to ensure that their policies are legally binding and the employees violating such policies will be legally liable of their behavior.

Information security policy stakeholders The development of an effective security policy requires a combination of different skills emanating from different stakeholders experiences recommend the involvement of ICT Specialists and security specialists in the policy development process because they have technical knowledge of the systems that the information security policy intends to protect as well as the security of these systems. The human resource department should review and/or approve the security policy based on how the policy relates to organization’s existing policies.

Conclusion What processes organizations need to follow in developing and implementing an effective information policy? The proposed model provides the different dimensions that a specific organization needs to take into account during the information security policy development and implementation process. It ensures both comprehensive and sustainable information security policies.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.