Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Assurance Policy and Management

Published byMarybeth Cole Modified over 6 years ago

Similar presentations

Presentation on theme: "Information Assurance Policy and Management"— Presentation transcript:

1 Information Assurance Policy and Management
(Original notes by Sheldon Durrant and Timothy Summers)

2 Purpose of the Policy Recognizing sensitive information assets
Clarifying security responsibilities Promoting awareness for existing employees Guiding new employees The policy should state the purpose of the organization’s security functions, reflecting the requirements of beneficiaries, users, and owners. For example, the policy may state that the system will “protect customers’ confidentiality or preserve a trust relationship”, “ensure continual usability”, or “maintain profitability”. There are typically three to five goals, such as: Promote efficient business operation. Facilitate sharing of information throughout the organization. Safeguard business and personal information. Ensure that accurate information is available to support business processes. Ensure a safe and productive place to work. Comply with applicable laws and regulations. The security goals should be related to the overall goal or nature of the organization. It is important that the system’s purpose be stated clearly and completely because subsequent sections of the policy will relate back to these goals, making the policy a goal-driven product.

3 Management Goals for Policy
There are typically three to five goals, such as: Promote efficient business operation. Facilitate sharing of information throughout the organization. Safeguard business and personal information. Ensure that accurate information is available to support business processes. Ensure a safe and productive place to work. Comply with applicable laws and regulations.

4 Role of Management in Policy
Owners “Each piece of computing equipment is owned by someone, and the owner may not be a system user. An owner provides the equipment to users for a purpose, such as to further education, support commerce, or enhance productivity. A security policy should also reflect the expectations and needs of the owners.”

5 Characteristics of Good Policy
Be easy to understand Be applicable Be doable Be enforceable Be phased in Be proactive Avoid absolutes (allow for exceptions) Meet business objectives

6 Policy Enforcement Policies are meaningless if not enforced.
Steps organization must take: Collect information Emphasize training as part of routine operations Ensure that policies are distributed

7 Monitoring People do not like to feel as if they are being watched.
Monitoring may lead to employee mistrust and/or legal issues. All users must be made aware of the organization’s right to monitor

8 Remedies The organization has the right to control the environment in which the system operates. Remedies are penalties to be taken for breaking rules. Remedies should also include clear definitions in the disciplinary escalation process.

9 Auditing Delegation of auditing responsibilities should be done by management. The policy should state who is responsible for capturing data for auditing purposes how such data should be handled and stored who should have access to the data.

10 Policy Review Security policies should grow and change along with the organization. Policies should state how often the policies will be reviewed and/or updated. Provisions should be provided so that sudden or unexpected changes in the policy can be adopted. This might come in the form of waivers. – Barman “Writing Information Security Policies”

11 Process of Policy Reviews
Policy Reviews should include information gained from audits and risk assessments. Management should make it a point to be involved in the policy review to ensure that any changes in policy are in line with the goals, vision and direction of the organization. Policy Reviews should include everyone who was responsible for developing them in the first place, including management, administrators, security staff, and human resources.

12 Books Used

Download ppt "Information Assurance Policy and Management"

Similar presentations

USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.

USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.
What is GARP®? GARP® is an Acronym for Generally Accepted Recordkeeping Principles ARMA understands that records must be.

What is GARP®? GARP® is an Acronym for Generally Accepted Recordkeeping Principles ARMA understands that records must be.
Agency Risk Management and Internal Control Standards Presentation to the Board of Visitors November 14, 2014.

Agency Risk Management and Internal Control Standards Presentation to the Board of Visitors November 14, 2014.
The Health and safety Act, is an act to make further provision for securing the health and safety and welfare of persons at work.For protecting others.

The Health and safety Act, is an act to make further provision for securing the health and safety and welfare of persons at work.For protecting others.
1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.

1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.
The Islamic University of Gaza

The Islamic University of Gaza
Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.

Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.
Health and Safety Legislation

Health and Safety Legislation
Achieving our mission Presented to Line Staff. INTERNAL CONTROLS What are they?

Achieving our mission Presented to Line Staff. INTERNAL CONTROLS What are they?
By Olivia Neadle.. Key words: Right – a right is something that you are entitled to, for example: a lunch break. Responsibility – a responsibility is.

By Olivia Neadle.. Key words: Right – a right is something that you are entitled to, for example: a lunch break. Responsibility – a responsibility is.
The Principles: How we incorporated them into our Business Process by Lawrie Barroner.

The Principles: How we incorporated them into our Business Process by Lawrie Barroner.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
Control environment and control activities. Day II Session III and IV.

Control environment and control activities. Day II Session III and IV.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Security Policies Jim Stracka www.pentasafe.com. The Problem Today.

Security Policies Jim Stracka The Problem Today.
Chapter 3 Internal Controls.

Chapter 3 Internal Controls.
HIPAA COMPLIANCE WITH DELL

HIPAA COMPLIANCE WITH DELL
Topic 4 How organisations promote quality care Codes of Practice

Topic 4 How organisations promote quality care Codes of Practice
1 Records Inventory & Data Classification Workshop Data Classification Project Note: This is an example of one agency’s approach to meeting the state records.

1 Records Inventory & Data Classification Workshop Data Classification Project Note: This is an example of one agency’s approach to meeting the state records.

Similar presentations

Ads by Google