Scribd Logo
Upload

Welcome to Scribd!

  • Security Policy

    Uploaded by

    Mohit Rathour
    4 views13 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    4 views13 pages

    Security Policy

    Uploaded by

    Mohit Rathour

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 13

    Security Policy

    Prof. Vidyavati H. R

    1
    Learning Objectives

    • On completion of this session you will be able to


    • Differentiate between Policy, Standard, Guideline and
    Procedure
    • Understand different types of policies
    • Understand different components of policy
    • Attempt to write a policy

    2
    3
    4
    Policies, Standards, Guidelines and
    Procedures.
    • A policy is something that is mandatory.
    • A standard is something that you follow for best
    practices reasons. It could be an industry standard,
    could be an internal standard, a personal standard.
    • And then guidelines are something that’s
    discretionary.
    • Step by step instructions.
    5
    Why policy?
    • A quality information security program begins and ends with
    policy.
    • A security policy is a document that states in writing how a
    company plans to protect the company's physical and information
    technology (IT) assets. A security policy is often considered to be a
    "living document", meaning that the document is never finished,
    but is continuously updated as technology and employee
    requirements change.
    • Properly developed and implemented policies enable the
    information security program to function almost seamlessly within
    the workplace.
    • Although information security policies are the least expensive
    means of control to execute, they are often the most difficult to
    implement.
    • Policies require constant modification and maintenance.
    6
    • Develop policies that you plan to enforce.
    • Explain the purpose of the policy.
    • Develop security policies that do not require updates too
    frequently.
    • Don’t develop your policies in a vacuum
    • Make your security policies available to everyone.
    • Make sure your policies stay current.
    • Make sure your policies are understood
    • Require acknowledgement of your policies.
    • Include your policies as part of your security awareness training

    7
    Types of policies
    • Senior Management Statement of policy
    • Regulatory policy
    • Advisory policy
    • Informative policy

    • Organizational or Master policy


    • System specific policy
    • Issue specific policy
    8
    Components of policies
    • Introduction /Overview
    • Purpose
    • Scope
    • Policy Statement
    • Policy Compliance (Compliance measurement,
    Exceptions, Non-compliance)
    • Responsibilities
    • Revision History (Date, Responsible, Summary of
    change)
    9
    Security Exception Request Process
    • All information technology resources connected to the organization's network
    are expected to comply with information technology security policies and
    standards which are designed to establish the controls necessary to protect
    organizations information assets.
    • In circumstances when a particular policy or standard; security program
    requirement; or security best practice cannot be fully implemented; an
    exception management program is needed.
    • A control deficiency in one business process or IT resource can jeopardize
    other processes or resources because erroneous data may be inherited, privacy
    can be compromised. However, there may be a case where compliance cannot
    be achieved for a variety of reasons. Eg.
    • Temporary exception, where immediate compliance would disrupt critical operations.
    • Another acceptable solution with equivalent protection is available.
    • Lack of resources.
    • In such cases, an exception must be documented and approved using this
    process. 10
    Details to be covered in exception request

    • Description of the non-compliance


    • Anticipated length of non-compliance
    • Assessment of risk associated with non-compliance
    • System(s) associated (for example, host names or IP addresses)
    • Data Classification Category(s) of associated system(s)
    • Plan for alternate means of risk management

    11
    Write policies for
    1. Employee hire policy
    2. Employee termination policy
    3. Anti-virus policy
    4. Security awareness training
    5. Back-up policy
    6. Data classification policy
    7. Access Control policy
    8. Change management policy
    9. Physical security policy
    10. Encryption policy
    11. Media disposal policy
    12. Data retention policy
    13. Acceptable use policy
    14. Password policy
    15. Email policy

    12
    References
    • https://blog.eduonix.com/networking-and-security/learn-
    different-types-policies-procedures-cissp/
    • https://www.beyondtrust.com/resources/glossary/systems-
    hardening
    • https://www.tutorialspoint.com/computer_security/computer_
    security_policies.htm
    • https://blog.eduonix.com/networking-and-security/learn-
    different-types-policies-procedures-cissp/
    • Information systems security by Neena Godbole
    • https://www.sans.org/

    13

    You might also like