Information Security Policy

Week 5

October 4, 2015

Information Security Policy

Information Security Policy (ISP) is designed to safeguard the confidentiality, integrity, and availability of all physical and electronic assets of the organization to ensure that regulatory, operational and contractual requirements are fulfilled. ISP should outline the overall goals of an organization such as: compliance with laws, regulations, and guidelines; comply requirements of confidentiality, integrity, and availability for organization’s employees and other users; establish necessary control for protecting information and information systems against theft, abuse and other form of harm and loss; motivate employees to maintain the responsibility for, ownership of the knowledge about information security, in order to reduce the risk of security incidents; and etc. (Whitman and Mattord)

The ISP should be address current business strategy and framework for risk management and provide guidelines for identifying assessing evaluating and controlling information related risks through establishing and maintaining the ISP. So, to secure operations at organization even after incidents, and should ensure the availability of continuity plans, backup procedures, defense against damaging code and malicious activities, system and information access control, incident management and reporting.

One of the examples of ISP is Bull’s-eye model. This is a proven mechanism for prioritizing complex changes, and a widely accepted among InfoSec practitioners. This model is focused on systematic solutions where issues are addressed by moving from the general to the specific. (Whitman and Mattord)

It is necessary that policy should directly address how issues should be addressed and technologies should be used, rather than specifying the proper operation of equipment or software. ISP should outline the consequences for unacceptable behaviors.

                        For an organization to have a complete ISP, management has to define Enterprise Information Security Policy (EISP), Issue-Specific Security Policies, and System-Specific Security Policies (SysSP) which are based on NIST SP 800-14 published on 1996. While developing these policies, first organization has to create the EISP, which is the highest level of policy and than after that, general security policy needs tare met by developing ISSP and SysSP policies. (Whitman and Mattord)

                        NIST SP 800-14 generally accepted principles and practices for securing IT systems describes best practices and information on commonly accepted information security principles that can be used to develop a security blue print. Described principles that should be integrated into the information security process. The more significant points made in the SP 800-14 are:

·    Security supports the mission of the organization

·    Security is an integral element of sound management

·    Security should be cost-effective

·      Systems owners have security responsibilities outside their own organizations

·    Security responsibilities and accountability should be made explicit

·    Security requires comprehensive and integrated approach

·    Security should be periodically reassessed

·    Security is constrained by societal factors

                        In fact, policy drives the performance of personnel in ways that enhance the InfoSec of as organization’s information assets. InfoSec policies are the least expensive means of control, they are often the most difficult to implement.

References:

Michael E. Whitman and Herbert J. Mattord, “ Management of Information

Security”, Published by Cengage Learning, Fourth Ed