Scribd Logo
Upload

Welcome to Scribd!

  • Information Assurance Policies

    Uploaded by

    Melona Benido
    3 views11 pages

    Original Title

    Information-Assurance-Policies

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    3 views11 pages

    Information Assurance Policies

    Uploaded by

    Melona Benido

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 11

    March 23 2023

    Information Assurance Policies


    Group 2

    Pamela Angelica Palisoc


    Jhon-jhon Abad
    Joe-an Garrovillo
    Overview
    Information assurance policies
    Encompass measures that protect and defend information
    and information systems by ensuring their availability,
    integrity, authentication, confidentiality, and non-
    repudiation.

    Information security policies, a subset of information


    assurance, are designed to ensure users and networks
    meet minimum IT security standards, addressing data
    protection, user access control, and compliance with legal
    and regulatory requirements like NIST, GDPR, HIPAA, and
    FERPA
    Key components of an information assurance

    Information
    Purpose Audience Security
    Objectives

    Clearly outline the purpose of the Define who the policy applies to and Define the goals management has
    policy, which should include who it does not apply to, ensuring that agreed upon and the strategies
    preserving the organization's all users within the organization and used to achieve them, focusing on
    information security, detecting and its networks are covered. Consider the CIA triad - Confidentiality,
    preempting breaches, protecting the including third-party and fourth-party Integrity, and Availability of data and
    organization's reputation, upholding risks in the policy to address potential information systems.
    ethical, legal, and regulatory vulnerabilities from external sources
    requirements, protecting customer
    data, and responding to security-
    related complaints and queries
    Key components of an information assurance

    Authority and Data Data support


    Access Control Classification and
    Policy: operations

    Specify who has the authority to Classify data into categories based on Data protection regulations —
    decide data sharing, outline access sensitivity, such as public information, systems that store personal data, or
    control levels, handle sensitive confidential data, and critical other sensitive data
    information, define security controls, information. Implement increasing Data backup — Encrypt data backup
    and establish acceptable security levels of protection based on the data according to industry best
    standards. Include network security classification to ensure appropriate practices, both in motion and at
    policies and authentication security measures are in place rest
    requirements like strong passwords, Movement of data — Only transfer
    biometrics, and access tokens data via secure protocols.
    Key components of an information assurance

    Security Encryption Data backup


    awareness and policy policy
    behavior

    Share IT security policies with your Encryption involves encoding data to A data backup policy defines rules
    staff. Conduct training sessions to keep it inaccessible to or hidden from and procedures for making backup
    inform employees of your security unauthorized parties. It helps protect copies of data. It is an integral
    procedures and mechanisms, data stored at rest and in transit component of overall data
    including data protection measures, between locations and ensure that protection, business continuity, and
    access protection measures, and sensitive, private, and proprietary data disaster recovery strategy
    sensitive data classification. remains private. It can also improve
    Social engineering the security of client-server
    Clean desk policy communication
    Key components of an information assurance

    References to
    Responsibilities, System
    regulations and
    rights, and duties hardening
    compliance
    of personnel benchmarks
    standards

    Appoint staff to carry out user access The information security policy should The information security policy should
    reviews, education, change reference security benchmarks the reference regulations and compliance
    management, incident management, organization will use to harden standards that impact the organization, such
    implementation, and periodic mission-critical systems, such as the as the General Data Protection Regulation
    updates of the security policy. Center for Information Security (CIS) (GDPR), California Consumer Privacy Act
    Responsibilities should be clearly benchmarks for Linux, Windows (CCPA), Payment Card Industry Data Security
    defined as part of the security policy Server, AWS, and Kubernetes Standard (PCI DSS), the Sarbanes-Oxley Act
    (SOX), and the Health Insurance Portability
    and Accountability Act (HIPAA).
    Information assurance policies that organizations can implement

    Information Security Policy (ISP)


    An ISP outlines an organization's security rules, regulations, and strategies for maintaining the confidentiality, integrity, and
    availability of critical data. It addresses all aspects related to enterprise data security, including the data itself and the
    organization's systems, networks, programs, facilities, infrastructure, internal users, and third-party users.

    Network Security Policy


    This policy outlines who can have access to company networks and servers, as well as what authentication requirements
    are needed, including strong password requirements, biometrics, ID cards, and access tokens. It helps in controlling and
    securing access to critical IT assets within the organization.

    Data Classification Policy


    Organizations should classify data into categories based on sensitivity, such as public information, confidential data, and
    critical information. This policy ensures that appropriate security measures are in place based on the classification of data,
    enhancing data protection and security.
    Information assurance policies that organizations can implement

    Access Control Policy


    An access control policy defines the level of authority over data and IT systems for every level of the organization. It outlines
    how to handle sensitive information, who is responsible for security controls, and what security standards are acceptable.
    This policy helps in managing and controlling access to key information technology assets within the organization

    Incident Response Policy


    This policy outlines step-by-step actions to be taken in response to security incidents. It helps the cybersecurity team
    proactively address potential risks and vulnerabilities, enabling the organization to respond promptly to security incidents
    and mitigate their consequences
    NIST, GDPR, HIPAA, and FERPA
    NIST GDPR
    refers to the General Data Protection Regulation, a
    stands for the National Institute of Standards and
    European law that came into effect on May 25, 2018.
    Technology, which is a non-regulatory federal agency
    GDPR aims to protect the privacy and security of
    within the U.S. Department of Commerce. NIST
    personal data of individuals within the European
    develops and issues standards, guidelines, and best
    practices to promote innovation and industrial Economic Area (EEA) by regulating how
    competitiveness in various sectors, including organizations collect, store, process, and transfer
    cybersecurity personal data

    HIPAA FERPA
    stands for the Health Insurance Portability and stands for the Family Educational Rights and
    Accountability Act, a U.S. federal law enacted in 1996. Privacy Act, a U.S. federal law that protects the
    HIPAA includes provisions that establish standards for privacy of student education records. FERPA applies
    protecting sensitive patient health information to educational institutions that receive funding from
    known as Protected Health Information (PHI). It sets
    the U.S. Department of Education and regulates the
    rules for healthcare providers, health plans, and
    disclosure of student records and access to them
    healthcare clearinghouses to safeguard PHI and
    ensure patient privacy
    Sources
    https://www.unitrends.com/blog/information-assurance
    https://www.itgovernanceusa.com/information/information-assurance
    https://www.upguard.com/blog/information-security-policy
    https://www.ekransystem.com/en/blog/information-security-policies
    https://www.doi.gov/ocio/policy-mgmt-support/info-assurance
    https://www.itgovernanceusa.com/information/information-assurance
    https://sdi.ai/blog/5-principles-of-information-assurance/
    https://www.exabeam.com/explainers/information-security/the-12-elements-of-an-information-
    security-policy/
    https://www.gvsu.edu/irb/ferpahipaagdpr-54.html
    https://kb.wisc.edu/security/page.php?id=104454
    https://www.pentasecurity.com/blog/4-data-compliance-standards-gdpr-hipaa-pci-dss-ccpa/
    March 23 2023

    End of Presentation

    THANKYOU

    You might also like