Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Security Policy Development for Management By Peter McCarthy.

Published byMadison Morgan Modified over 8 years ago

Similar presentations

Presentation on theme: "Information Security Policy Development for Management By Peter McCarthy."— Presentation transcript:

1 Information Security Policy Development for Management By Peter McCarthy

2 Brief Overview Why Policy? Why Policy? What Is Policy? What Is Policy? Basic Rules For Policy Development Basic Rules For Policy Development 3 Types Of Policy 3 Types Of Policy Using SecSDLC Using SecSDLC Complying With Policy Complying With Policy Policies, Standards, & Practices Policies, Standards, & Practices

3 Why Policy? The centrality of information security policies to virtually everything that happens in the information security field is increasingly evident. The centrality of information security policies to virtually everything that happens in the information security field is increasingly evident. An effective information security training and awareness effort cannot be initiated without writing information security policies because policies provide the essential content that can be utilized in training and awareness material. An effective information security training and awareness effort cannot be initiated without writing information security policies because policies provide the essential content that can be utilized in training and awareness material. Properly developed and implemented policies enable the information security program to function almost seamlessly within the workplace. Properly developed and implemented policies enable the information security program to function almost seamlessly within the workplace.

4 The Bulls-eye Model

5 What Is Policy? Policy is a plan or course of action, as of a government, political party, or business, intended to influence and determine decisions, actions, and other matters Policy is a plan or course of action, as of a government, political party, or business, intended to influence and determine decisions, actions, and other matters Policies comprise a set of rules that dictates acceptable and unacceptable behavior within an organization Policies comprise a set of rules that dictates acceptable and unacceptable behavior within an organization Policies must also specify the penalties for unacceptable behavior and define an appeal process Policies must also specify the penalties for unacceptable behavior and define an appeal process

6 Basic Rules for Policy Development Set the information resource security policy for the organization with the objectives of reduced risk, compliance with laws and regulations and assurance of operational continuity, information integrity, and confidentiality. Set the information resource security policy for the organization with the objectives of reduced risk, compliance with laws and regulations and assurance of operational continuity, information integrity, and confidentiality. Policy must be able to stand up in court, if challenged. Policy must be able to stand up in court, if challenged. Policy must be properly supported and administered. Policy must be properly supported and administered.

7 Basic Rules For Policy Development (cont.) All policies must contribute to the success of the organization. All policies must contribute to the success of the organization. Management must ensure the adequate sharing of responsibility for proper use of information systems. Management must ensure the adequate sharing of responsibility for proper use of information systems. End users of information systems should be involved in the steps of policy formulation. End users of information systems should be involved in the steps of policy formulation.

8 3 Types of Policy Enterprise information security program policy Enterprise information security program policy Issue-specific security policies Issue-specific security policies System-specific security policies System-specific security policies

9 Enterprise Information Security Policy (EISP) The EISP sets the strategic direction, scope, and tone for all of an organization’s security efforts The EISP sets the strategic direction, scope, and tone for all of an organization’s security efforts It assigns responsibilities for the various areas of information security, including maintenance of information security policies and the practices and responsibilities of end users It assigns responsibilities for the various areas of information security, including maintenance of information security policies and the practices and responsibilities of end users It guides the development, implementation, and management requirements of the information security program It guides the development, implementation, and management requirements of the information security program It must directly support the organization’s vision and mission statements It must directly support the organization’s vision and mission statements It must be defensible if legal challenges to it arise It must be defensible if legal challenges to it arise

10 Issue-Specific Security Policy (ISSP) The ISSP provides detailed, targeted guidance to instruct all members of the organization in the use of technology-based systems The ISSP provides detailed, targeted guidance to instruct all members of the organization in the use of technology-based systems It is not to establish a legal foundation for persecution or prosecution, but rather to provide a common understanding of the purposes for which an employee can and cannot use the technology It is not to establish a legal foundation for persecution or prosecution, but rather to provide a common understanding of the purposes for which an employee can and cannot use the technology The ISSP serves to protect both the employee and the organization from inefficiency and ambiguity The ISSP serves to protect both the employee and the organization from inefficiency and ambiguity

11 System-Specific Security Policy (SysSSP) SysSSPs often function as standards or procedures to be used when configuring or maintaining systems SysSSPs often function as standards or procedures to be used when configuring or maintaining systems SysSSPs can be separated into two general groups, management guidance and technical specifications, or they may combine these two types of SysSP content into a single policy document SysSSPs can be separated into two general groups, management guidance and technical specifications, or they may combine these two types of SysSP content into a single policy document

12 Using a Secure Systems Development Life Cycle (SecSDLC) Investigation Phase Investigation Phase Analysis Phase Analysis Phase Design Phase Design Phase Implementation Phase Implementation Phase Maintenance Phase Maintenance Phase

13 Complying With Policy A standard is a more detailed statement of what must be done to comply with policy A standard is a more detailed statement of what must be done to comply with policy Practices, procedures, and guidelines explain how employees are to comply with policy Practices, procedures, and guidelines explain how employees are to comply with policy

14 Policies, Standards, & Practices

15 Brief Summary Why Policy? Why Policy? What Is Policy? What Is Policy? Basic Rules For Policy Development Basic Rules For Policy Development 3 Types Of Policy 3 Types Of Policy Using SecSDLC Using SecSDLC Complying With Policy Complying With Policy Policies, Standards, & Practices Policies, Standards, & Practices

16 Sources Whitman, Michael E., and Herbert J. Mattord. Management of Information Security. Canada: Course Technology, 2004. 106-131. Whitman, Michael E., and Herbert J. Mattord. Management of Information Security. Canada: Course Technology, 2004. 106-131.

17 Any Questions?

Download ppt "Information Security Policy Development for Management By Peter McCarthy."

Similar presentations

Managing Media Development Services Chapter 7 Christy Cates ETEC 579 Yeah Media Development Services!!!!

Managing Media Development Services Chapter 7 Christy Cates ETEC 579 Yeah Media Development Services!!!!
Radiopharmaceutical Production

Radiopharmaceutical Production
USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.

USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.
What is GARP®? GARP® is an Acronym for Generally Accepted Recordkeeping Principles ARMA understands that records must be.

What is GARP®? GARP® is an Acronym for Generally Accepted Recordkeeping Principles ARMA understands that records must be.
Information Security Policy

Information Security Policy
information Security Blueprint

information Security Blueprint
Information Security Policy

Information Security Policy
Agenda COBIT 5 Product Family Information Security COBIT 5 content

Agenda COBIT 5 Product Family Information Security COBIT 5 content
The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.

The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.
Developing Information Security Policy. Why is Developing Good Security Policy Difficult? Effective Security/IA Policy is more than locking doors and.

Developing Information Security Policy. Why is Developing Good Security Policy Difficult? Effective Security/IA Policy is more than locking doors and.
Chapter 29 Ethics in Accounting

Chapter 29 Ethics in Accounting
Each problem that I solved became a rule which

Each problem that I solved became a rule which
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
First Practice - Information Security Management System Implementation and ISO 27001 Certification.

First Practice - Information Security Management System Implementation and ISO Certification.
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Risk Management Vs Risk avoidance William Gillette.

Risk Management Vs Risk avoidance William Gillette.
Www.adira.org Philippe LE TERTRE IS Governance Consultant  Founder and managing partner of VADEGIS (company specialized in Information System Management.

Philippe LE TERTRE IS Governance Consultant  Founder and managing partner of VADEGIS (company specialized in Information System Management.
Security Policies Group 1 - Week 8 policy for use of technology.

Security Policies Group 1 - Week 8 policy for use of technology.
Information Security Policy

Information Security Policy

Similar presentations

Ads by Google