The Role of Information Security Policy Essay Example for Free

The Role of Information protective covering Policy EssayThe framework for an institutions study hostage measures program is composed of policies and their various(prenominal) standards and procedures. This article volition examine the relationship between policies, standards, and procedures and the roles they play in an organizations information certification program. In addition, the roles that of individuals inside and outside of the organization with respect to the humankind of form _or_ system of government and standards will be discussed. Finally, how an organization can meet information security need at from each one aim of security and how this relates to the information security insurance (ISP) content. Information security measures Policy (ISP)DefinitionPolicies form the foundation of everything an organization is and does. Likewise, an ISP is the beginning of a comp boths information security program. A policy is a high-level plan on how an organization i ntends to respond to certain issues. An ISP plants the tone of the organizations information security program and establishes the will and intent of the company in all information security matters. The ISP also defines how the company will frustrate its employees. Policies must support an organizations objectives and promote the organizations success. Policies must never be illegal and must be defensible in a court of law. Policies must be support and administered fairly and consistently throughout the organization (Whitman Mattford, 2010). The practiseing paragraphs list some tips for developing and implementing an ISP.A egest PurposeIt is essential that an ISP have a evanescely defined purpose. Specific objective should guide the creation of the ISP and the purpose should articulate exactly what the policy is to accomplish (McConnell, 2002).McConnell (2002) further notes that, If you cannot explain why the policy exists, you cannot take c be your employees to understand it or come after it (p. 2).Employee InputIn developing policies, it is a good idea to suck in the input of the employees to which the policy will apply. Ideally, in that respect should be at least one representative from each department. Allowing various employees give input to the policy, will help to ensure that nothing is overlooked and that the policy is easily understood (McConnell, 2002).Security Awargonness and Training ProgramIn addition to gaining the employees acknowledgement of the ISP at their orientation, the ISP should be part of the security awareness and training program. Ongoing awareness training can heighten on various security policies (McConnell, 2002). It is important to keep the awareness of information security matters fresh in the minds of the employees to avoid complacent behaviors that may lead to serious violations.EnforcementEnforcement is critical to the success of any policy policies that are not enforced are soon ignored. McConnell (2002) notes, A policy that you are unable or noncompliant to enforce is useless (p. 2). If a policy is unenforceable, it should be removed or revised to the point where it is enforceable. not only must a policy be enforceable, it must be enforced from the top down. When managers set the example, the rest of the staff are more carely to keep company (McConnell, 2002).StandardsWhile policy sets the general plan or intent of the organization in regards to information security, standards define the specific elements required to comply with policy. For example, an bankable usage policy may prohibit employees from visiting inappropriate websites the standard defines what websites are considered inappropriate (Whitman Mattford, 2010). Standards may be developed in house, but the common preferred way is to utilize already constituted industry standards that can and so be tailored to theorganizations specific take.ProceduresProcedures are the in stages actions necessary to comply with the policy . Procedures are driven by standards that are governed by policy (Whitman Mattford, 2010). Most policy violations may be traced back to either a willful or negligent failure to follow procedures.RolesSenior ManagementSenior management initiates the need for policy creation it is their intent and purpose that the policy is created to communicate. Senior management is the final authority and gives the final approval for the policy.Information Security Officer (ISO)The ISO is fundamentally the policies champion overseeing all aspects of the ISP and the agent reporting to senior management. The ISO creates a governance committee that works unneurotic to develop and update policy. The ISO oversees organizational compliance with security policies (California Office of Information Security and Privacy Protection, 2008).IT roundThe information technology (IT) staff is responsible for installing and maintaining the technical controls to ensure users are compliant with the security policie s. For example, the IT staff may install software that blocks get to to prohibited websites. The IT staff also conducts monitoring of employee performance on the company mesh topology.ManagersMangers, as already stated, must lead by example. When managers do not follow and enforce policies, it communicates to the employees that policies are not important and that following them is optional. A body will always follow its head likewise a department will always follow the example of its managers.End UsersThe fair end user is perhaps the greatest security asset and the greatest security threat clear security policies and proper security awareness training are the deciding factors. People should be make aware of commonsecurity threats such as social engineering attacks and the importance of safeguarding their password information. They should be trained to understand exactly what the organization expects form them in regards to information security (Whitman Mattford, 2010).External Agents in that respect may be times when outside people may need to have access to an organizations network such vendors, consultants, and temporary employees. Such people should be required to sign an acknowledgement form agreeing to stand up by all security policies, standards, and procedures.Security LevelsThe Bulls-eye ModelThe bulls-eye model is a way of tailoring the ISP to the needs of the organization at various security levels. The four levels of the bulls-eye are policies, networks, systems, and applications (Whitman Mattford, 2010). Whitman and Mattford (2010) state, In this model, issues are addressed by moving from the general to the specific, always starting with policy (p. 120).PolicyAN information security policy, as already discussed, sets the foundation for an organizations information security program (Ungerman, 2005). While all policies are high-level, there are different levels that a policy may address. The enterprise information security policy (EISP) is the overall policy that encompasses all other information security policies within the organization. Issue specific security policies (ISSP) fanny specific issues and contain more low-level elements than the EISP. An example of an ISSP is an acceptable use policy (SUP). Finally, there are system specific security policies (SysSP). A SysSP is so low-levelthat it may appear more like a procedure than a policy. A SysSP through either managerial guidance or technical specifications defines system-specific controls postulate to conform to an ISSP. An example of an SysSP would be the implementation of website filtering software to enforce the companys AUP (Whitman Mattford, 2010).NetworkNetwork-level security is about securing the network and as such is heavilyfocused on controlling access through user authentication. EISP may define who may access the network in addition to how and why. An ISSP may then specify what type of authentication and access control models may be used. SysSPs can then command technical specifications, such as software requiring a periodic password change, to facilitate compliance with the ISSP (Whitman Mattford, 2010). governanceSystem-level security is concerned with securing the actual system components of the network such as the computers, printers, and servers. Examples of ISSPs at the system level are AUP, password policies, and policies prohibiting the installation of unapproved hardware and software by end users (Whitman Mattford, 2010).ApplicationApplication-level security deals with any type of application form out-of the-box software like MS Office to enterprise resource planners (ERP) like SAP. Policy considerations here would be controlling user access and application update policy. Policy controls who has access to which applications and to which features (Whitman Mattford, 2010).ConclusionReferencesCalifornia Office of Information Security and Privacy Protection. (2008, April). Guide for the Role and Responsibilities of an Information Security Officer Within State Government. Retrieved from http//www.cio.ca.gov/ois/government/documents/pdf/iso_roles_respon_guide.pdf McConnell, K. D. (2002). How to Develop Good Security Policies and Tips on Assessment and Enforcement. Retrieved from http//www.giac.org/ story/gsec/1811/develop-good-security-policies-tips-assessment-enforcement/102142 Ungerman, M. (2005). Creating and Enforcing an Effective Information Security Policy. Retrieved from http//www.isaca.org/Journal/Past-Issues/2005/Volume-6/Documents/jopdf-0506-creating-enforcing.pdf Whitman, M., Mattford, H. (2010). Management of Information Security (3rd ed.). Mason, OH Cengage Learning. Retrived from The University of Phoenix eBook Collection database.