Outline Chapter 5 & 6 - Outline Chapter 5 INTRODUCTION POLICY STANDARDS MISSION VISION STRATEGIC PLANNING SECURITY POLICY INFORMATION SECURITY

Outline Chapter 5 INTRODUCTION The creation of an information security program begins with the creation or review of the organization’s information security policies, standards, and practices, followed by the selection or creation of information security architecture and a detailed information security blueprint. 172 POLICY Is a plan or course of action used to convey instructions from an organization’s senior -most management to those who make decisions, take actions, and perform other duties. 174 STANDARDS On the other hand, are more detailed statements of what must be done to comply with policy. They have the same requirement for compliance as policies. 174 MISSION The mission of an organization is a written statement of an organization’s purpose. 174 VISION The vision of an organization is a written statement about the organization’s goals. Where will the organization be in five years? In ten? 174 STRATEGIC PLANNING Is the process of moving the organization toward its vision. 174 SECURITY POLICY The meaning of the term security policy depends on the context in which it is used. In general, security policy is a set of rules that protect an organization’s assets. A security policy can also represent a credit card agency’s method for processing credi t card numbers. 175 INFORMATION SECURITY POLICY Provides rules for the protection of the information assets of the organization. 175 STANDARD and TECHNOLOGY SPECIAL PUBLICATION Management must define three types of security policy: 1. Enterprise information security policies 2. Issue-specific security policies 3. System-specific security policies 175 THREE TYPES OF SECURITY POLICY 1-Enterprise information security policies , 2-Issue-specific security policies, 3-Systems-specific security policies. 175 CRITERIA FOR POLICY TO BE EFFECTIVE 1-Dissmemination(distribution), 2-Review(reading), 3- Comprehension(understanding),4-Compliance (agreement), 5- Uniform enforcement 175 ENTERPRISE INFORMATION SECURITY POLICY (EISP) Is also known as a general security policy, organizational security policy, IT security policy, or information security policy. The EISP is based on and directly supports the mission, vision, and direction of the organization and sets the strategic direction, scope, and tone for all security efforts 175 ISSUE-SPECIFIC SECURITY POLICY (ISSP) 1)addresses specific area of technology, 2) requires frequent updates and 3) contains a statement on the organization’s position on a specific issue. Three of the most common area to create the following types of ISSP documents: 1. Independent ISSP documents, each tailored to a specific issue 2. A single comprehensive ISSP document covering all issues 3. A modular ISSP document that unifies policy creation and administration, while maintaining each specific issue’s requirements.