69%(61)42 out of 61 people found this document helpful
This preview shows page 1 - 3 out of 433 pages.
Chapter 1. Understanding PolicyChapter ObjectivesAfter reading this chapter and completing the exercises, you should be able to do the following:Describe the significance of policies.Evaluate the role policy plays in corporate culture and civil society.Articulate the objective of information security–related policies.Identify the seven characteristics of successful policies.Define the lifecycle of an information security policy.We live in an interconnected world where individual as well as collective actions have the potential to result in inspiring goodness or tragic harm. The objective of Information Security isto protect each of us, our economy, our critical infrastructure, and our country from the harm that can result from inadvertent or intentional misuse, compromise, or destruction of information and information systems. The United States Department of Homeland Security defines critical infrastructure sectors as agriculture, food, water, public health, emergency services, government, defense industrial base, information technology andtelecommunications, energy, transportation, banking, finance, chemical industry, and postal and shipping. The services provided by critical infrastructure sectors are “the backbone of our nation’s economy, security and health. We know it as the power we use in our homes, the water we drink, the transportation that moves us, and the communication systems werely on to stay in touch with friends and family. Critical infrastructure are the assets, systems, and networks, whether physical or virtual, so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.”1FYI: National SecurityPresidential Policy Directive 7– Protecting Critical Infrastructure(2003) established a national policy that required
federal departments and agencies to identify and prioritize United States critical infrastructure and key resources and to protect them from physical and cyber terrorist attacks. The directive acknowledged that it is not possible to protect or eliminate the vulnerability of all critical infrastructure and key resources throughout the country, but that strategic improvements in security can make it more difficult for attacks tosucceed and can lessen the impact of attacks that may occur. In addition to strategic security enhancements, tactical security improvements can be rapidly implemented to deter, mitigate, or neutralize potential attacks.Ten years later, in 2013, Presidential Policy Directive 21– Critical Infrastructure Security and Resiliencebroadened the effort to strengthen and maintain secure, functioning, and resilient critical infrastructure by recognizing that this endeavor is a shared responsibility among the federal, state, local, tribal, and territorial entities as well as public and private owners and operators of critical infrastructure.