Professional Documents
Culture Documents
Policy
Policy
Introduction
2
Definition
Policy
a plan or course of action used by organization
to convey instructions from management to
those who perform duties
3
Trust
4
Policy (Cont’d)
Objectives:
Reduced risk
Assurance of operation continuity, information
integrity, and confidentiality
Compliance with laws and regulations
Least expensive means of control
Often overlooked and difficult to implenent
legal
5
Scenario
6
Case Study
7
Case Study (cont’d)
8
Case Study (cont’d)
The court ruled that the company was liable for
breach of contract because it did not block all
so-called questionable sites. By instituting a
policy stating that it would filter out these
sites, the company was “accepting
responsibility for the successful execution of
this activity”- and was therefore accountable.
The damage award, as well as reimbursement
for the employee’s “distress,” was based on
this finding.
9
Basic Policy Requirements
Policies must
be implementable and enforceable
be concise and easy to understand
balance protection with productivity
Policies should
state reasons why policy is needed
describe what is covered by the policies
define contacts and responsibilities
discuss how violations will be handled
flexible
10
Policy Communication
11
Policy Management
A schedule of reviews
12
Relationship with Standards, Practices,
Procedures, and Guidelines
Policies
Standards
13
Types of Policies
Policy can be senior management's directives
to create an information security program,
establish its goals, and assign responsibilities.
The term policy is also used to refer to the
specific security rules for particular systems.
Additionally, policy may refer to entirely
different matters, such as the specific
managerial decisions setting an organization's
e-mail privacy policy or fax security policy.
14
Enterprise Information Security Policy (EISP)
15
EISP Elements
16
Components of the EISP
17
Issue-Specific Security Policy (ISSP)
The ISSP:
Addresses specific areas of technology
Requires frequent updates
Contains statement on organization’s position on
specific issue
Three approaches when creating and managing ISSPs:
Create a number of independent ISSP documents
Create a single comprehensive ISSP document
Create a modular ISSP document
18
Issue-Specific Security Policy (ISSP)
20
Components of the ISSP (Continued)
Systems Management
Management of Stored Materials
Employer Monitoring
Virus Protection
Physical Security
Encryption
Violations of Policy
Procedures for Reporting Violations
Penalties for Violations
Policy Review and Modification
Scheduled Review of Policy and Procedures for Modification
Limitations of Liability
Statements of Liability or Disclaimers
21
Systems-Specific Policy (SysSP)
Configuration rules
22
23
Access Control Lists
Include user access lists, matrices, and capability tables that
govern rights and privileges
Can control access to
file storage systems
object brokers or other network communications devices
Capability Table: user profiles
Specifications are frequently complex matrices
Level of detail and specificity (often called granularity) may
vary from system to system
ACLs enable administrations to restrict access according to
user, computer, time, duration, or even a particular file
24
ACLs
In general ACLs regulate:
Who can use the system
What authorized users can access
When authorized users can access the system
Where authorized users can access the system from
How authorized users can access the system
Restricting what users can access, e.g. printers, files,
communications, and applications
25
ACLs (Continued)
Administrators set user privileges, such as:
Read
Write
Create
Modify
Delete
Compare
Copy
26
Configuration Rules
27
Policy Levels
28
Policies are classified!
29