chapter04

chapter04 - Management of Information Security 4-1 Chapter...

Info iconThis preview shows pages 1–4. Sign up to view the full content.

View Full Document Right Arrow Icon
Management of Information Security 4-1 Chapter 4 Security Policy Chapter Overview In this chapter, readers will learn to define information security policy and understand its central role in a successful information security program. Research has shown that there are three major types of information security policy and the chapter will explain what goes into each type as the reader learns how to develop, implement, and maintain various types of information security policies. Chapter Objectives When you complete this chapter, you will be able to: Define information security policy and understand its central role in a successful information security program Recognize the three major types of information security policy and know what goes into each type Develop, implement, and maintain various types of information security policies
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Management of Information Security 4-2 Introduction This chapter focuses on information security policy: what it is, how to write it, how to implement it, and how to maintain it. Policy is the essential foundation of an effective information security program. “The success of an information resources protection program depends on the policy generated, and on the attitude of management toward securing information on automated systems. You, the policy maker, set the tone and the emphasis on how important a role information security will have within your agency. Your primary responsibility is to set the information resource security policy for the organization with the objectives of reduced risk, compliance with laws and regulations and assurance of operational continuity, information integrity, and confidentiality.” Why Policy? A quality information security program begins and ends with policy. Properly developed and implemented policies enable the information security program to function almost seamlessly within the workplace. Although information security policies are the least expensive means of control to execute, they are often the most difficult to implement. Some basic rules must be followed when shaping a policy: Policy should never conflict with law Policy must be able to stand up in court, if challenged Policy must be properly supported and administered “All policies must contribute to the success of the organization. Management must ensure the adequate sharing of responsibility for proper use of information systems. End users of information systems should be involved in the steps of policy formulation.” Bulls-eye model layers: The Bulls-eye Model Policies—the outer layer in the bull’s-eye diagram Networks—where threats from public networks meet the organization’s networking infrastructure Systems—includes computers used as servers, desktop computers, and systems used for process control and manufacturing systems Applications—includes all applications systems
Background image of page 2
Management of Information Security 4-3
Background image of page 3

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Image of page 4
This is the end of the preview. Sign up to access the rest of the document.

Page1 / 20

chapter04 - Management of Information Security 4-1 Chapter...

This preview shows document pages 1 - 4. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online