Show
List and describe the three guidelines for sound policy, asList and describe the three guidelines for sound policy, as stated by Bergeron and Bérubé. AnswerAll policies must contribute to the success of an organization means that a policy should be of p…View the full answer This problem has been solved!Do you need an answer to a question different from the above? Ask your question!Solution for problems in chapter 4Review question:Students also viewed these Business questionsRelated Study Help QuestionsINTRODUCTIONThe success of any information security program lies in policy development. The lack of success in any particular program can often be attributed to this unmet need to build the foundation for success. In 1989, the National Institute of Standards and Technology addressed this point in Special Publication SP 500-169: Executive Guide to the Protection of Information Resources (1989): BACKGROUNDPolicy is “a plan or course of action, as of a government, political party, or
business, intended to influence and determine decisions, actions, and other matters” (Merriam-Webster, 2002). In other words, policies are a set of rules that dictate acceptable and unacceptable behavior within an organization. Policies must also specify the penalties for unacceptable behavior, and define an appeal process. An example of a policy would be an organization’s prohibiting the viewing of pornographic Web sites at the workplace. EFFECTIVE INFORMATION SECURITY POLICIESTo produce complete information
security policy in the organization, management must use three types of information security policies. These three types are based on National Institute of Standards and Technology Special Publication 800-14 (1996), which outlines the requirements of writing policy for senior managers. This document is recommended for professionals involved in creating policy, and can be found at http://csrc.nist.gov/ publications/nistpubs/800-14/800-14.pdf. The three types of policy are: Figure 1. Spheres of use and protection of information (Whitman & Mattord, 2003)Enterprise Information Security PolicyAn
enterprise information security policy (EISP)—also known as a security program policy, general security policy, IT security policy, high-level information security policy or information security policy—sets the strategic direction, scope, and tone for all of an organization’s security efforts. The EISP assigns responsibilities for the various areas of information security, including maintenance of information security policies, and the practices and responsibilities of end users. In
particular, the EISP guides the development, implementation, and management requirements of the information security program, which must be met by information security management, IT development, IT operations and other specific security functions. Issue-Specific Security Policy (ISSP)A sound issue-specific security policy provides detailed, targeted guidance to instruct all members of the organization in the use of technology-based systems. The ISSP should begin with an introduction of the fundamental technological philosophy of the organization. It should assure the
members of the organization that the purpose of the policy is not to provide a legal foundation for persecution or prosecution, but to provide a common understanding of the purposes for which an employee can and cannot use the technology. Once this understanding is established, employees are free to use the technology without seeking approval for each type of use. This serves to protect both the employee and the organization from inefficiency and ambiguity. According to Whitman et al., (1999) an
effective ISSP: Systems-Specific Policy (SysSP)While issue-specific policies are formalized as written documents, distributed to users, and agreed to in writing, systems-specific policies (SysSPs) are frequently codified as standards and procedures used when configuring or maintaining systems. One example of a SysSP is a document describing the configuration and operation of a network firewall. This document could include a statement of managerial intent, guidance to network engineers on selecting, configuring, and operating firewalls, and an access control list that defines levels of access for each authorized user. Systems-specific policies can be organized into two general groups, management guidance and technical specifications. Management Guidance SysSPsA management guidance SysSP is created by management to guide the implementation and configuration of technology intended to support the security of information. For example, while the specific configuration of a firewall
belongs in the technical specifications SysSP, the general construction and implementation of the firewall must follow guidelines established by management. For example, an organization may not want its employees to have access to the Internet via the organization’s network; the firewall would have to be implemented according to this rule. Technical Specifications SysSPsWhile a manager may work with a systems administrator to create managerial policy as specified previously, the system administrator may need to create a different type of policy to implement the managerial policy. Each type of equipment has its own type of policies, which are used to translate the management intent for the technical control into an enforceable technical approach. For example, an ISSP may require that user passwords be changed quarterly; a systems administrator can implement a technical control within a specific application to enforce this policy. There are two general methods of implementing such technical controls, access control lists – which include the user access lists, matrices, and capability tables that govern the rights and privileges of users, and configuration rules – the specific configuration codes entered into security systems to guide the execution of the system when information is passing through it. FUTURE TRENDSIn order to deal with the complexities of developing and implementing policies, organizations are increasingly turning to alternate solutions. These alternate solutions provide options ranging from templates based on established experts in the field (i.e., Charles Cresson Wood), to automated policy approval and distribution systems like Security Policy Management from NetIQ (Security Policy Management, 2004). These systems simplify the onerous task of drafting policy, obtaining management approval, distributing to end users, and documenting compliance with policy but creating a structure in which the draft policy is placed. Control and approval is passed from author to reviewer, and eventually published to end users. Once users have read the policy, the system documents their activities and eventually can provide quizzes on policy content. Use of systems like these greatly improves the organization’s ability to issue and manage policy as an effective tool in supporting ongoing operations. CONCLUSIONThe early years of the 21st century have seen the emergence of information security as both a practical area of specialization in information technology and as an academic discipline in post-secondary education. As many new members join the information security community, it is important that the primary role of policy as the mechanism whereby an organization defines what is to be secured is clearly understood. Without sound policy as a foundation, policy constructed with the same care and attention to detail required by all parts of the information security mission, an organization is less likely to be successful in its mission to protect information assets. KEY TERMSAccess Control List (ACL): A list of people or other entities permitted to access a computer resource. What are the three primary goals of information security describe them?Three primary goals of information security are preventing the loss of availability, the loss of integrity, and the loss of confidentiality for systems and data. Most security practices and controls can be traced back to preventing losses in one or more of these areas.
What are the three model designed that guide policies for information security within an organization?Confidentiality, integrity and availability, also known as the CIA triad, is a model designed to guide policies for information security within an organization. The model is also sometimes referred to as the AIC triad (availability, integrity and confidentiality) to avoid confusion with the Central Intelligence Agency.
What are the three primary goals of network security quizlet?Terms in this set (39) The 3 primary goals of information security are Confidentiality, Integrity and Availability, also known as the CIA triad.
What is an EISP and what purpose does it serve quizlet?The NIST SP 800-14 is an enterprise information security program (EISP). EISP is used to determine the scope, tone and strategic direction for a company including all security related topics. This policy should directly reflect the goals and mission of the company.
|