.

Friday, June 7, 2019

The Role of Information Security Policy Essay Example for Free

The Role of Information Security policy EssayThe framework for an memorial tablets teaching certificate weapons platform is composed of policies and their respective standards and executions. This article will examine the relationship between policies, standards, and procedures and the roles they play in an organizations information shelter program. In addition, the roles that of individuals inside and outside of the organization with respect to the creation of indemnity and standards will be discussed. Finally, how an organization can meet information security involve at each level of security and how this relates to the information security indemnity (ISP) content. Information Security Policy (ISP)DefinitionPolicies form the foundation of everything an organization is and does. Likewise, an ISP is the send-off of a companys information security program. A policy is a high-level plan on how an organization intends to respond to certain issues. An ISP sets the emotion al state of the organizations information security program and establishes the will and intent of the company in all information security matters. The ISP also pay backs how the company will regulate its employees. Policies moldiness support an organizations objectives and promote the organizations success. Policies must never be illegal and must be defensible in a court of law. Policies must be supported and administered fairly and consistently throughout the organization (Whitman Mattford, 2010). The following paragraphs list some tips for developing and implementing an ISP.A Clear placeIt is essential that an ISP have a clearly defined purpose. Specific objective should guide the creation of the ISP and the purpose should articulate exactly what the policy is to accomplish (McConnell, 2002).McConnell (2002) elevate notes that, If you cannot explain why the policy exists, you cannot expect your employees to understand it or follow it (p. 2).Employee InputIn developing policies , it is a good idea to gain the introduce of the employees to which the policy will apply. Ideally, there should be at least one representative from each department. Allowing various employees give input to the policy, will help to check over that nothing is overlooked and that the policy is easily understood (McConnell, 2002).Security Awareness and Training ProgramIn addition to gaining the employees acknowledgement of the ISP at their orientation, the ISP should be part of the security sense and training program. Ongoing apprisedness training can focus on various security policies (McConnell, 2002). It is important to keep the awareness of information security matters fresh in the minds of the employees to avoid complacent behaviors that whitethorn overhaul to serious violations.EnforcementEnforcement is critical to the success of any policy policies that are not follow outd are soon ignored. McConnell (2002) notes, A policy that you are unable or unwilling to enforce is use less (p. 2). If a policy is unenforceable, it should be removed or revised to the point where it is enforceable. Not only must a policy be enforceable, it must be enforced from the top down. When managers set the example, the ministration of the round are more likely to follow (McConnell, 2002).StandardsWhile policy sets the overall plan or intent of the organization in regards to information security, standards define the specific elements required to comply with policy. For example, an unobjectionable usage policy whitethorn prohibit employees from visiting inappropriate websites the standard defines what websites are considered inappropriate (Whitman Mattford, 2010). Standards may be developed in house, but the common preferred way is to utilize already established industry standards that can then be tailored to theorganizations specific needs.ProceduresProcedures are the step-by-step actions necessary to comply with the policy. Procedures are driven by standards that are go verned by policy (Whitman Mattford, 2010). Most policy violations may be traced back to either a willful or negligent failure to follow procedures.RolesSenior ManagementSenior management initiates the need for policy creation it is their intent and purpose that the policy is created to communicate. Senior management is the final authority and gives the final approval for the policy.Information Security purposer (ISO)The ISO is essentially the policies lifter overseeing all aspects of the ISP and the agent reporting to senior management. The ISO creates a governance committee that works together to develop and update policy. The ISO oversees organizational compliance with security policies (California Office of Information Security and privateness Protection, 2008).IT StaffThe information technology (IT) staff is responsible for installing and maintaining the technical controls to ensure drug users are compliant with the security policies. For example, the IT staff may install so ftware that blocks access to prohibited websites. The IT staff also conducts monitoring of employee activity on the company network.ManagersMangers, as already stated, must lead by example. When managers do not follow and enforce policies, it communicates to the employees that policies are not important and that following them is optional. A body will always follow its target likewise a department will always follow the example of its managers.End UsersThe average end user is perhaps the greatest security plus and the greatest security threat clear security policies and proper security awareness training are the deciding factors. People should be made aware of commonsecurity threats much(prenominal) as social engineering attacks and the importance of safeguarding their password information. They should be trained to understand exactly what the organization expects form them in regards to information security (Whitman Mattford, 2010).External AgentsThere may be times when outside people may need to have access to an organizations network such vendors, consultants, and temporary employees. Such people should be required to sign an acknowledgement form agreeing to abide by all security policies, standards, and procedures.Security LevelsThe Bulls-eye ModelThe bulls-eye perplex is a way of tailoring the ISP to the needs of the organization at various security levels. The four levels of the bulls-eye are policies, networks, systems, and applications (Whitman Mattford, 2010). Whitman and Mattford (2010) state, In this model, issues are addressed by travel from the general to the specific, always starting with policy (p. 120).PolicyAN information security policy, as already discussed, sets the foundation for an organizations information security program (Ungerman, 2005). While all policies are high-level, there are different levels that a policy may address. The enterprise information security policy (EISP) is the overall policy that encompasses all other infor mation security policies within the organization. Issue specific security policies (ISSP) target specific issues and contain more low-level elements than the EISP. An example of an ISSP is an acceptable use policy (SUP). Finally, there are system specific security policies (SysSP). A SysSP is so low-levelthat it may appear more like a procedure than a policy. A SysSP through either managerial guidance or technical specifications defines system-specific controls needed to conform to an ISSP. An example of an SysSP would be the implementation of website filtering software to enforce the companys AUP (Whitman Mattford, 2010).NetworkNetwork-level security is about securing the network and as such is heavilyfocused on controlling access through user authentication. EISP may define who may access the network in addition to how and why. An ISSP may then specify what type of authentication and access control models may be used. SysSPs can then proscribe technical specifications, such as so ftware requiring a periodic password change, to facilitate compliance with the ISSP (Whitman Mattford, 2010).SystemSystem-level security is concerned with securing the actual system components of the network such as the computers, printers, and servers. Examples of ISSPs at the system level are AUP, password policies, and policies prohibiting the installation of unapproved hardware and software by end users (Whitman Mattford, 2010).ApplicationApplication-level security deals with any type of application form out-of the-box software like MS Office to enterprise resource planners (ERP) like SAP. Policy considerations here would be controlling user access and application update policy. Policy controls who has access to which applications and to which features (Whitman Mattford, 2010).ConclusionReferencesCalifornia Office of Information Security and Privacy Protection. (2008, April). Guide for the Role and Responsibilities of an Information Security Officer Within State Government. R etrieved from http//www.cio.ca.gov/ois/government/documents/pdf/iso_roles_respon_guide.pdf McConnell, K. D. (2002). How to Develop Good Security Policies and Tips on Assessment and Enforcement. Retrieved from http//www.giac.org/paper/gsec/1811/develop-good-security-policies-tips-assessment-enforcement/102142 Ungerman, M. (2005). Creating and Enforcing an in force(p) Information Security Policy. Retrieved from http//www.isaca.org/Journal/Past-Issues/2005/Volume-6/Documents/jopdf-0506-creating-enforcing.pdf Whitman, M., Mattford, H. (2010). Management of Information Security (3rd ed.). Mason, OH Cengage Learning. Retrived from The University of Phoenix eBook Collection database.

No comments:

Post a Comment