Get documents about "Information Security Policy - PowerPoint
Document Sample
Unit Outline
Information Security Policy
Module 1: Purpose
Module 2: Life Cycle
Module 3: Terminology
Module 4: Structure
Module 5: Summary
Sanjay Goel, School of Business/Center for Information Forensics and Assurance 1
University at Albany Proprietary Information
Module 4
Structure
Structure
Learning Objectives
• Students should be able to:
– Create a general security policy program.
– Know what the components of a security policy program,
issue-specific policy, and acceptable use guidelines are.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance 3
University at Albany Proprietary Information
Structure
Security Policy Outline
Information Security Policy
Security Program Policy
Issue-Specific Policy High-Level
System-Specific Policy
System-Specific Policy Low-Level
Issue-Specific Policy
System-Specific Policy
System-Specific Policy
Acceptable Use Guidelines
Sanjay Goel, School of Business/Center for Information Forensics and Assurance 4
University at Albany Proprietary Information
Structure
Security Program Policy
• A security program policy is a high-level policy which contains
general rationale and purpose of an information security policy,
was well as related definitions, roles and responsibilities, and
compliance.
Information Security Policy
Security Program Policy
Purpose
Policy Statement Introduction
Scope
Issue-Specific Policy Summaries
Roles & Responsibilities
References
Relevant Resources
Definitions
Sanjay Goel, School of Business/Center for Information Forensics and Assurance 5
University at Albany Proprietary Information
Structure
Security Program Policy: Introduction
• Purpose
– The purpose usually contains the rationale for why the information
security policy is being created.
• Policy Statement
– The policy statement describes organizational values and philosophy
on issues detailed within the security policy.
• Scope
– The scope details application constraints of the information security
policy. For example, it can specify the departments, personnel, and
systems that it will impact. This is usually determined as a result of a
risk analysis.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance 6
University at Albany Proprietary Information
Structure
Security Program Policy: Issue-Specific Summaries
• While the introductory sections of the security policy should be
created first, most of the Security Program Policy should be
developed after issue-specific and system-specific policies.
• Issue-Specific Summaries go through all of the issue-specific
policies defined throughout the entire security policy and give a
top-level overview.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance 7
University at Albany Proprietary Information
Structure
Security Program Policy: Roles & Responsibilities
• The roles and responsibilities section list relevant personnel and
the responsibilities they have related to the information security
policy. These responsibilities and role definitions usually
include:
– Development, maintenance, and publication of present and future
policy
– Creation and decision of relevant procedures for policies
– Implementation of policies
– Enforcement of policies (dealing with violations)
– Monitoring and auditing of compliance
– User responsibilities
Sanjay Goel, School of Business/Center for Information Forensics and Assurance 8
University at Albany Proprietary Information
Structure
Security Program Policy: Relevant Resources
• References • Definitions
– Pertain to past policies
– Clarify the meaning of terms (e.g. general
which the information
information security, information
security policy supersedes,
technology, and specific roles).
related legislation and laws,
other relevant – Definitions should be concise and easy-
organizational policies or to-understand in order to be effective.
guidelines, and – The point of including definitions is to
international standards. avoid misunderstandings in language and
– These may be listed in the to provide a frame of reference.
form of a link or citation.
– These are useful in
providing the context for
an information security
policy.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance 9
University at Albany Proprietary Information
Structure
Low-Level Policy
Information Security Policy
Issue-Specific Policy
Background/Rationale
Description
Sub-Category
Background/Rationale
Description
Guidelines
System-Specific Policy
Implementation Procedures
Enforcement Procedures
Evaluation Procedures
References
Definitions
Sanjay Goel, School of Business/Center for Information Forensics and Assurance 10
University at Albany Proprietary Information
Structure
Low-Level Policy: Issue-Specific
• Issue-Specific policies usually focus on areas defined by a
previous risk analysis and usually differ from organization to
organization. However, all issue-specific policies do share
common elements, despite variations in order or location
within a document.
• They contain multiple sections, but should begin with an
initial description of what the controls constitute (sub-
categories), why they are important for the organization, and
the associated risks that they impact.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance 11
University at Albany Proprietary Information
Structure
Low-Level Policy: Sub-Category General
• Issue-Specific policies are usually higher-level areas of
security controls, which contain sub-categories.
• Sub-categories of issue-specific policies will also contain
description and background and associated risks.
• In addition, similar to the issue-specific policy higher-level,
there may be references to other documents, organizational
processes, etc. as well as defined terms for clarification
purposes.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance 12
University at Albany Proprietary Information
Structure
Low-Level Policy: Sub-Category Specific
• They also tend to include:
– Specific guidelines which reference responsibilities and roles and are
dependent on the sub-category. These can also include acceptable
use guidelines.
– Procedures for implementation (includes responsibilities and roles;
instructions; guidelines; standards; system-specific steps; as well as
training and awareness programs)
– Procedures for enforcement (includes responsibilities and roles,
reporting procedures and procedures for dealing with violations)
– Procedures for evaluation (includes processes for
evidence/documentation for evaluation, schedule for auditing,
monitoring methods, auditing methods)
Sanjay Goel, School of Business/Center for Information Forensics and Assurance 13
University at Albany Proprietary Information
Structure
Acceptable Use Guidelines
• Acceptable Use Guidelines, like the Security Program Policy is considered a
high-level policy.
• It is basically a summary of all acceptable use guidelines and can be
categorized by the issue that they are specific to and/or to whom they apply.
• Acceptable Use Guidelines are usually compiled and distributed within
pamphlets to regular users who neither need nor want detailed
implementation and/or enforcement procedures and simply want to know
what they may and may not do so that they do not cause damage to
themselves or the organization.
Information Security Policy
Acceptable Use Guidelines
Sanjay Goel, School of Business/Center for Information Forensics and Assurance 14
University at Albany Proprietary Information
Structure
Exercise
• A good way of applying what has been learned in this
module would be to view a genuine security program policy.
• In a linked zip file you should find the following:
– “Business & Finance Bulletin IS-3 Electronic Information Security”,
which is a security program policy from the University of California.
– “HEP-C Alert, Inc. General Security Policy” from the company
HEP-C Alert, Inc.
– “Cyber-Security Policy P03-002”, version 2.0 of a security program
policy for New York State government agencies.
– “Government Security Policy”, a security program policy for the
Canadian government.
• While there are some differences in the application, it is
apparent that the main aspects of the security program
policy detailed are contained within all of these documents.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance 15
University at Albany Proprietary Information
Structure
Summary
• An information security policy is made up of high-level policies
(security program policy and acceptable use guidelines) as well
as low-level policies (issue-specific and system-specific).
• A security program policy contains:
– Purpose, Policy Statement, Scope, Issue-Specific Policy Summaries,
Roles and Responsibilities, References, and Definitions.
• An issue-specific policy can contain sub-categories. Both of
these contain a definition, rationale, references, and definitions.
• However, the sub-categories also tend to contain acceptable use
guidelines, and specific procedures for implementation,
enforcement and evaluation.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance 16
University at Albany Proprietary Information
