Lecture3

Lecture3 - TEL2813/IS2820 Security Management Lecture 3...

Info iconThis preview shows pages 1–13. Sign up to view the full content.

View Full Document Right Arrow Icon
TEL2813/IS2820 Security Management Lecture 3 Information Security Policy Jan 24, 2006
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Introduction This chapter focuses on information security policy: What it is How to write it How to implement it How to maintain it Policy Essential foundation of effective information security program:
Background image of page 2
Why Policy? A quality information security program begins and ends with policy Policies are least expensive means of control and often the most difficult to implement Some basic rules must be followed when shaping a policy: Never conflict with law Stand up in court Properly supported and administered Contribute to the success of the organization Involve end users of information systems
Background image of page 3

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Figure 4-1 The Bulls-eye Model
Background image of page 4
Policy Centric Decision Making Bulls-eye model layers: Policies: first layer of defense Networks: threats first meet organization’s network Systems: computers and manufacturing systems Applications: all applications systems
Background image of page 5

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Policies, Standards, & Practices
Background image of page 6
Policy, Standards, and Practices Policy: plan or course of action that influences and determines decisions Standards: more detailed statement of what must be done to comply with policy Practices, procedures and guidelines: explain how employees will comply with policy For policies to be effective, they must be: Properly disseminated Read Understood Agreed-to
Background image of page 7

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Policy, Standards, and Practices (Continued) Policies require constant modification and maintenance To produce a complete information security policy, management must define three types of information security policy (NIST 800-14): Enterprise information security program policy Issue-specific information security policies Systems-specific information security policies
Background image of page 8
Enterprise Information Security Policy (EISP) Sets strategic direction, scope, and tone for organization’s security efforts Assigns responsibilities for various areas of information security Guides development, implementation, and management requirements of information security program
Background image of page 9

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
EISP Elements EISP documents should provide : An overview of corporate philosophy on security Information about information security organization and information security roles Responsibilities for security shared by all members of the organization Responsibilities for security unique to each role within the organization
Background image of page 10
Components of the EISP Statement of Purpose: What the policy is for Information Technology Security Elements: Defines information security Need for Information Technology Security: justifies importance of information security in the organization Information Security Responsibilities and Roles: Defines organizational structure References Information Technology standards and guidelines
Background image of page 11

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Example EISP - CCW Protection Of Information: Information must be protected in a manner commensurate with its sensitivity, value, and
Background image of page 12
Image of page 13
This is the end of the preview. Sign up to access the rest of the document.

This note was uploaded on 08/27/2010 for the course IS 2820 taught by Professor Jameskoshi during the Spring '10 term at Webber.

Page1 / 40

Lecture3 - TEL2813/IS2820 Security Management Lecture 3...

This preview shows document pages 1 - 13. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online