Outline Chapter 5
INTRODUCTION
The creation of an information security program begins with the
creation or review of the organization’s information security
policies, standards, and practices, followed by the selection or
creation of information security architecture and a detailed
information security blueprint.
172
POLICY
Is a plan or course of action used to convey instructions from an
organization’s senior
-most management to those who make
decisions, take actions, and perform other duties.
174
STANDARDS
On the other hand, are more detailed statements of what must be
done to comply with policy. They have the same requirement for
compliance as policies.
174
MISSION
The mission of an organization is a written statement of an
organization’s purpose.
174
VISION
The vision of an organization is a written statement about the
organization’s goals. Where will the organization be in five years?
In ten?
174
STRATEGIC PLANNING
Is the process of moving the organization toward its vision.
174
SECURITY POLICY
The meaning of the term security policy depends on the context in
which it is used. In general, security policy is a set of rules that
protect an organization’s assets.
A security policy can also
represent a credit card agency’s method for processing credi
t card
numbers.
175
INFORMATION SECURITY
POLICY
Provides rules for the protection of the information assets of the
organization.
175
STANDARD and
TECHNOLOGY SPECIAL
PUBLICATION
Management must define three types of security policy:
1. Enterprise information security policies
2. Issue-specific security policies
3. System-specific security policies
175
THREE TYPES OF SECURITY
POLICY
1-Enterprise information security policies , 2-Issue-specific security
policies, 3-Systems-specific security policies.
175
CRITERIA FOR POLICY TO BE
EFFECTIVE
1-Dissmemination(distribution), 2-Review(reading), 3-
Comprehension(understanding),4-Compliance (agreement), 5-
Uniform enforcement
175
ENTERPRISE INFORMATION
SECURITY POLICY (EISP)
Is also known as a general security policy, organizational security
policy, IT security policy, or information security policy. The EISP is
based on and directly supports the mission, vision, and direction of
the organization and sets the strategic direction, scope, and tone
for all security efforts
175
ISSUE-SPECIFIC SECURITY
POLICY (ISSP)
1)addresses specific area of technology, 2) requires frequent
updates and 3) contains a statement on the organization’s position
on a specific issue.
Three of the most common area to create the following types of
ISSP documents:
1. Independent ISSP documents, each tailored to a specific
issue
2. A single comprehensive ISSP document covering all issues
3. A modular ISSP document that unifies policy creation and
administration, while maintaining each specific issue’s
requirements.
This
preview
has intentionally blurred sections.
Sign up to view the full version.

This is the end of the preview.
Sign up
to
access the rest of the document.
- Spring '12
- Zales
- Information Security, Computer Security, security policy
-
Click to edit the document details