The creation of an information security program begins with the
creation or review of the organization’s information security
policies, standards, and practices, followed by the selection or
creation of information security architecture and a detailed
information security blueprint.
Is a plan or course of action used to convey instructions from an
organization’s senior-most management to those who make
decisions, take actions, and perform other duties.
On the other hand, are more detailed statements of what must be
done to comply with policy. They have the same requirement for
compliance as policies.
The mission of an organization is a written statement of an
The vision of an organization is a written statement about the
organization’s goals. Where will the organization be in five years?
Is the process of moving the organization toward its vision.
The meaning of the term security policy depends on the context in
which it is used. In general, security policy is a set of rules that
protect an organization’s assets. A security policy can also
represent a credit card agency’s method for processing credit card
Provides rules for the protection of the information assets of the
Management must define three types of security policy:
Enterprise information security policies
Issue-specific security policies
System-specific security policies
THREE TYPES OF
1-Enterprise information security policies , 2-Issue-specific security
policies, 3-Systems-specific security policies.
CRITERIA FOR POLICY
TO BE EFFECTIVE
1-Dissmemination(distribution), 2-Review(reading), 3-
Comprehension(understanding),4-Compliance (agreement), 5-
Is also known as a general security policy, organizational security
policy, IT security policy, or information security policy. The EISP is
based on and directly supports the mission, vision, and direction of
the organization and sets the strategic direction, scope, and tone
for all security efforts
1)addresses specific area of technology, 2) requires frequent
updates and 3) contains a statement on the organization’s position
on a specific issue.
Three of the most common area to create the following types of
Independent ISSP documents, each tailored to a specific
A single comprehensive ISSP document covering all issues
A modular ISSP document that unifies policy creation and
administration, while maintaining each specific issue’s
The modular approach provides a balance between issue