Policy 2 Dr.Talal Alkharobi. 2 Create Appropriate Policy Each organization may need different policies. Policy templates are useful to examine and to.

Slides:



Advertisements
Similar presentations
The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.
Advertisements

HR SERVICE REQUEST SYSTEM Department Demonstrations February 2012.
USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.
STRATEGIC PLANNING FOR Post-Clearance Audit (PCA)
Chpter#5 -part#1 Project Scope and Human Resource Planning
BP5- METHODS BY WHICH PERSONAL DATA CAN BE PROTECTED Data Protection.
The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.
Security Controls – What Works
“Alberta - A Province Prepared” 2008 STAKEHOLDER SUMMIT.
Security Awareness: Applying Practical Security in Your World
Performance Development Plan (PDP) Training
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Pertemuan Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
Schools’ Data Collection for National Partnerships Agreements (NPA) Educational Measurement and School Accountability Directorate (EMSAD)
Auditing Logical Access in a Network Environment Presented By, Eric Booker and Mark Ren New York State Comptroller’s Office Network Security Unit.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
Information Security Training for Management Complying with the HIPAA Security Law.
IT Control Objectives for Sarbanes-Oxley
An Educational Computer Based Training Program CBTCBT.
Security Policies Jim Stracka The Problem Today.
Chapter 4.  Can technology alone provide the best security for your organization?
Maintain Ethical Conduct
Chapter 11 Management Skills
Faye Business Systems Group presents: The Top 10 Reasons Why CRM Implementations Fail.
15 Maintaining a Web Site Section 15.1 Identify Webmastering tasks Identify Web server maintenance techniques Describe the importance of backups Section.
Level 2 IT Users Qualification – Unit 1 Improving Productivity Jordan Girling.

Conservation Districts Supervisor Accreditation Module 9: Employer/Employee Relations.
Monica J. Stern, Certified Public Accountant. What is an audit? An audit is a prescribed process a Certified Public Accountant applies to your financial.
Project Management Methodology Project Closing. Project closing stage Must be performed for all projects, successfully completed or shut off by management.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
General Awareness Training Security Awareness Module 3 Take Action! Where To Go for Help.
April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.
KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY Unit 4 IT 484 Networking Security Course Name – IT Networking Security 1203C Term Instructor.
Instructional Plan | Slide 1 AET/515 Instructional Plan December 17, 2012 Kevin Houser.
OCTAVE-S on TradeSolution Inc.. Introduction Phase 1: Critical Assets and threats Phase 2: Critical IT Components Phase 3: Changes Required in current.
Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.
Environment, Health and Safety OARS Online Accident Reporting System A guide to the University of Calgary’s new web- based On-line Accident Reporting System.
Project Charters Module 3
Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.
The Development of BPR Pertemuan 6 Matakuliah: M0734-Business Process Reenginering Tahun: 2010.
Patient Confidentiality and Electronic Medical Records Ann J. Olsen, MBA, MA Information Security Officer and Director, Information Management Planning.
LEGAL ASPECTS OF DIGITAL LIBRARIES By TALWANT SINGH ADDL DISTT. & SESSIONS JUDGE; DELHI.
Washington State Auditor’s Office State Agency Policy Workshop Presented to the Department of Enterprise Services Monday, March 23, 2015 Sarah Mahugh,
IT 499 Bachelor Capstone Week 4. Adgenda Administrative Review UNIT Four UNIT Five Project UNIT Six Preview Project Status Summary.
Phases of BCP The BCP process can be divided into the following life cycle phases: Creation of a business continuity and disaster recovery policy. Business.
The Impact of Evolving IT Security Concerns On Cornell Information Technology Policy.
SAP Identity Management 7.2 Implementation
Behavior Observation ASA/AEA SAFETY +. Unsafe Acts Are Responsible For 98% Of All Incidents.
Chapter 11: Policies and Procedures Security+ Guide to Network Security Fundamentals Second Edition.
MF Policy Compliance Review Rural Bankers Association of the Philippines- Microenterprise Access to Banking Services (RBAP-MABS) Supervisors Training Course.
Policies and Procedures Security+ Guide to Network Security Fundamentals Chapter 11.
Copyright © 2007 Pearson Education Canada 9-1 Chapter 9: Internal Controls and Control Risk.
Policies and Security for Internet Access
Assumptions of Secure Operation University of Sunderland CSEM02 Harry R. Erwin, PhD.
Fraud Risk – some context first Year ending September 2015 there were 604,601 fraud offences reported (ONS) The National Fraud Indicator report in 2013.
Patricia Alafaireet Patricia E. Alafaireet, PhD Director of Applied Health Informatics University of Missouri-School of Medicine Department of Health.
Federal Reviews: What to Expect Laura Lawrence Lavonne Juhl.
Contemporary Business Issues Change Management Theory Module Tutor: Nigel Bryant Session th February 2016.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
By the end of this lesson you will be able to: 1. Determine the preventive support measures that are in place at your school.
INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.
Welcome. Contents: 1.Organization’s Policies & Procedure 2.Internal Controls 3.Manager’s Financial Role 4.Procurement Process 5.Monthly Financial Report.
Component D: Activity D.3: Surveys Department EU Twinning Project.
Build an Enterprise IT Security Training Program
TLM Qualifications Mark Book and Learner Site
MANAGEMENT of INFORMATION SECURITY, Fifth Edition
Administering Your Network
TECHNOLOGY ASSESSMENT
SAFETY + Behavior Observation.
Presentation transcript:

Policy 2 Dr.Talal Alkharobi

2 Create Appropriate Policy Each organization may need different policies. Policy templates are useful to examine and to learn from. Copying some other organization's policy word for word is not the best way to create your policies

3 Defining What is important The first step in creating information security policy is to define which policies are more important for a given organization. An organization that delivers information over the Internet may require a disaster recovery plan more than a computer use policy The organization's security staff should be able to identify which policies are most relevant and important to an organization. Create Appropriate Policy

4 Sources of information Security staff Risk assessment System Administration, Human Resources, and the General counsel's office Defining What is important

5 Defining Acceptable Behavior What is acceptable employee behavior will differ based on the culture of the organization. Open Allow all employees to surf the Internet without restriction. The organization is relying on the employees and their managers to make sure work is being completed. Restricted Place restrictions on which employees are allowed access Load software that restricts access to "unacceptable" web sites. Create Appropriate Policy

6 Defining Acceptable Behavior The policies for these two organizations may differ significantly. In fact, the first organization may decide not to implement an Internet use policy at all. Before a security professional begins drafting policy for an organization, the security professional should take some time to learn the culture of the organization and the expectations of the organization with regard to its employees. Create Appropriate Policy

7 Identifying Stakeholders Policy that is created in a vacuum rarely succeeds. Who to includ in the process of developing the policy so that they will gain an understanding of what is expected. Security professionals General counsel Human Resources department System administrators, Users of computer systems, Physical security staff. Generally speaking, those who will be affected by the policy Create Appropriate Policy

8 Defining Appropriate Outlines The development of a policy starts with a good outline. There are many sources of good policy outlines available in books, and on the Internet. RFC 2196, "The Site Security Handbook, "provides a number of outlines for various policies. Create Appropriate Policy

9 Policy Development Security should drive the development of security policies but without discarding input from other stockholders Begin the process with outline and a draft of each policy section Meet stakeholders to discuss there comments (1 or more meetings) Work through the policy section by section. Listen to all comments and allow discussion. Keep in mind, however, that some may not be. In case of inappropriate suggestions, provide the reasons why a risk would be increased or not managed properly. Create Appropriate Policy

10 Policy Development Make sure that the stakeholders understand the reasoning behind the choices of the policy. It may be appropriate to meet with stakeholders for the final draft When complete, take it to management for approval and implement. Create Appropriate Policy

11 Deploy Policy To create policy, you only had to get a small number of people involved. To effectively deploy the policy, you need to work with the whole organization.

12 Gaining Buy-In Every department of the organization that is affected by the policy must buy concept behind it. This will be easier when you involve stakeholders from all departments in the creation of the policy. A message from upper management will go a long way to gain department management buy-in. Deploy Policy

13 Education Employees who will be affected by a new policy must be educated by the security department. This is especially important when it comes to changes that directly affect all users Changing the password policy Changes to authentication systems Deploy Policy

14 Changing the password Approach 1 As of Monday all user passwords Must be eight characters in length Mixture of letters and numbers, Will expire in 30 days All current passwords expire immediately. Without education, employee will choose not good (easy) passwords or choose passwords they cannot remember, They will call helpdesk again and again or They will write the password down. Deploy Policy-Education

15 Changing the password Approach 2 Conduct security-awareness training where employees are told about the coming change and why it must be made. Teach employees how to pick strong passwords that are easy to remember. The help disk can be informed to know what to expect (be ready). Security can work with system administrators to phase the change (not every employee needs to change passwords on the same day) Deploy Policy-Education

16 Education A better approach would be to conduct security-awareness training where employees are of the coming change and why it must be made. At the same time. they can taught pick strong passwords that are easy to remember. The can be informed the change so they know what to expect. Security can work with system administrators to see if way in the change so not every employee needs to change passwords on the makes for a smoother transition. Changes to authentication systems affect the greatest number of employees (all of them!) and must therefore made very carefully. Deploy Policy

17 Implementation Radical changes to the security can have adverse effects on the organization. Gradual, well-planned transitions are much better. Security should work with System Administration or other affected departments to make the change as easily as possible. Deploy Policy

18 Use Policy Effectively Policy can be used as a club, but it is much more effective when used as an education tool. Keep in mind that the vast majority of employees have the best interests of the organization at heart and do try to do their jobs to the best of their abilities.

19 New Systems and Projects As new systems and projects begin, the existing security policies and design procedures should be followed. This allows Security to be a part of the design phase of the project and allows for security requirements to be identified early in the process. If a new system will not be able to meet a security requirement, this allows time for the organization to understand the added risk and to provide some other mechanism to manage it. Use Policy Effectively

20 Existing Systems and Projects As new policies are approved, each existing system should be examined to see if it is in compliance. If not, the system should be examined to see if it can be made to comply with the policy. Security, system administrators and the department that uses the system need to make the needed changes to the systems. This may entail some development changes that cannot implemented immediately (some delay may occur). Security need to work with the administrators and other departments to make sure the changes are done in a timely fashion within the budget and design constraints of the system Use Policy Effectively

21 Audit Many organizations have internal audit department that periodically audit systems for compliance with policy Security should approach the audit department about new policies and work with them so that the auditors understand the policy before they have to audit aging. Security should explain to audit how the policy was developed and what is expected from that policy. Audit should explain to Security how the audits will be done and what they will look for. There should also be some agreement on what types of systems will be considered adequate for various policy sections. Use Policy Effectively

22 Policy Reviews Even a good policy does not last forever. Every policy should be reviewed on a regular basis (annually) to make sure it is still relevant for the organization. Some procedures, such as an incident response procedure or disaster recovery plan, may require more frequent reviews. All of the original stakeholders should be contacted to collect comments on the existing policy (meeting may be required) Make the policy adjustments, get approval, and start the education process again. Use Policy Effectively

23 Assignment Develop the needed set of policies for information security in a bank. Enplane first how the security department will start the process and who should be evolved Due in 2 weeks from today Weight 5% of total mark

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.