Chapter 4Security PolicyChapter OverviewChapter ObjectivesIntroductionDiscussion TopicsKey TermsManagement of Information Security 4-1Chapter 4Security PolicyChapter OverviewIn this chapter, readers will learn to define information security policy and understand its central role in a successful information security program. Research has shown that there are three major types of information security policy and the chapter will explain what goes into each type as the reader learns how to develop, implement, and maintain various types of information security policies.Chapter ObjectivesWhen you complete this chapter, you will be able to:- Define information security policy and understand its central role in a successful information security program- Recognize the three major types of information security policy and know what goes into each type- Develop, implement, and maintain various types of information security policiesIntroductionThis chapter focuses on information security policy: - what it is, - how to write it, - how to implement it, and - how to maintain it.Policy is the essential foundation of an effective information security program. “The success of an information resources protection program depends on the policy generated, and on the attitude of management toward securing information on automated systems.You, the policy maker, set the tone and the emphasis on how important a role informationsecurity will have within your agency.Your primary responsibility is to set the information resource security policy for the organization with the objectives of reduced risk, compliance with laws and regulations and assurance of operational continuity, information integrity, and confidentiality.”Management of Information Security 4-2Why Policy?A quality information security program begins and ends with policy.Properly developed and implemented policies enable the information security program to function almost seamlessly within the workplace.Although information security policies are the least expensive means of control to execute, they are often the most difficult to implement.Some basic rules must be followed when shaping a policy:- Policy should never conflict with law- Policy must be able to stand up in court, if challenged- Policy must be properly supported and administered“All policies must contribute to the success of the organization.Management must ensure the adequate sharing of responsibility for proper use of information systems.End users of information systems should be involved in the steps of policy formulation.” The Bulls-eye ModelBulls-eye model layers:- Policies—the outer layer in the bull’s-eye diagram - Networks—where threats from public networks meet the organization’s networking infrastructure- Systems—includes computers used as servers, desktop computers, and systems used for process control and manufacturing systems- Applications—includes all applications systems “…policies are important reference documents for internal audits and for the resolution of legal disputes about management's due diligence [and] policy documents can act as a clear statement of management's intent…”Policy, Standards, and PracticesPolicy is “a plan or course of action, as of a government, political party, or business, intended to influence and determine decisions, actions, and other matters”.Management of Information Security 4-3A standard is a more detailed statement of what must be done to comply with policy.Practices, procedures and guidelines explain how employees will comply with policy.For policies to be effective they must be:- properly disseminated- read- understood- agreed-toPolicies require constant modification and maintenance.In order to produce a complete information security policy, management must define three types of information security policy:- Enterprise information security program policy- Issue-specific information security policies- Systems-specific information security policiesEnterprise Information Security Policy…sets the strategic direction, scope, and tone for all of an organization’s security efforts.… assigns responsibilities for the various areas of information security.Management of Information Security 4-4… guides the development, implementation, and management requirements of the information security program.EISP ElementsMost EISP documents should provide:- An overview of the corporate philosophy on security- Information on the structure of the information security organization and individuals that fulfill the information security role- Fully articulated responsibilities for security that are shared by all members of theorganization- Fully articulated responsibilities for security that are unique to each role within the organizationComponents of the EISP- Statement of Purpose - Answers the question “What is this policy for?” Provides a framework for the helps the reader to understand the intent of the document.- Information Technology Security Elements - Defines information security.- Need for Information Technology Security - Provides information on the importance of information security in the organization and the obligation (legal and ethical) to protect critical information whether regarding customers, employees, or markets.- Information Technology Security Responsibilities and Roles - Defines the organizational structure designed to support information security within the organization.- Reference to Other Information Technology Standards and Guidelines - Outlines lists of other standards that influence and are influenced by this policy document.Example EISP - CCW- Protection of Information: Information must be protected in a manner commensurate with its sensitivity, value, and criticality.- Use of Information: Company X information must be used only for the business purposes expressly authorized by management.- Information Handling, Access, and And Usage: Information is a vital asset and all accesses to, uses of, and processing of, Company X information must be consistent with policies and standards.- Data and Program Damage Disclaimers: Company X disclaims any responsibilityfor loss or damage to data or software that results from its efforts to protect the confidentiality, integrity, and availability of the information handled by computersand communications systems.- Legal Conflicts: Company X information security policies were drafted to meet or exceed the protections found in existing laws and