MANAGEMENT of

INFORMATION SECURITY
Third Edition

CHAPTER 4
INFORMATION SECURITY POLICY
Each problem that I solved became a rule which served
afterwards to solve other problems – René Descartes
 Objectives
• Upon completion of this material you
should be able to:
– Define information security policy and
understand its central role in a successful
information security program
– Describe the three major types of information
security policy and explain what goes into each
type
– Develop, implement, and maintain various
types various types of information security
policies
Management of Information Security, 3rd ed.
 Introduction
• Policy is the essential foundation of an
effective information security program
– “The success of an information resources
protection program depends on the policy
generated, and on the attitude of management
toward securing information on automated
systems”
• Policy maker sets the tone and emphasis
on the importance of information security

Management of Information Security, 3rd ed.

 Introduction (cont’d.)
• Policy objectives
– Reduced risk
– Compliance with laws and regulations
– Assurance of operational continuity,
information integrity, and confidentiality

Management of Information Security, 3rd ed.

 Why Policy?
• A quality information security program
begins and ends with policy
• Policies are the least expensive means of
control and often the most difficult to
implement
• Basic rules for shaping a policy
– Policy should never conflict with law
– Policy must be able to stand up in court if
challenged
– Policy must be properly supported and
administered
Management of Information Security, 3rd ed.
 Why Policy? (cont’d.)

Figure 4-1 The bull’s eye model

Management of Information Security, 3rd ed. Source: Course Technology/Cengage Learning
 Why Policy? (cont’d.)
• Bulls-eye model layers
– Policies: first layer of defense
– Networks: threats first meet the organization’s
network
– Systems: computers and manufacturing
systems
– Applications: all applications systems

Management of Information Security, 3rd ed.

 Why Policy? (cont’d.)
• Policies are important reference documents
– For internal audits
– For the resolution of legal disputes about
management's due diligence
– Policy documents can act as a clear statement
of management's intent

Management of Information Security, 3rd ed.

 Policy, Standards, and Practices
• Policy
– A plan or course of action that influences
decisions
– For policies to be effective they must be
properly disseminated, read, understood,
agreed-to, and uniformly enforced
– Policies require constant modification and
maintenance

Management of Information Security, 3rd ed.

 Policy, Standards, and Practices
(cont’d.)
• Types of information security policy
– Enterprise information security program policy
– Issue-specific information security policies
– Systems-specific policies
• Standards
– A more detailed statement of what must be
done to comply with policy
• Practices
– Procedures and guidelines explain how
employees will comply with policy
Management of Information Security, 3rd ed.
 Policies, Standards, & Practices

Figure 4-2 Policies, standards and practices

Management of Information Security, 3rd ed. Source: Course Technology/Cengage Learning
 Enterprise Information Security
Policy (EISP)
• Sets strategic direction, scope, and tone for
organization’s security efforts
• Assigns responsibilities for various areas of
information security
• Guides development, implementation, and
management requirements of information
security program

Management of Information Security, 3rd ed.

 EISP Elements
• EISP documents should provide:
– An overview of the corporate philosophy on
security
– Information about information security
organization and information security roles
• Responsibilities for security that are shared by all
members of the organization
• Responsibilities for security that are unique to each
role within the organization

Management of Information Security, 3rd ed.

 Example ESIP Components
• Statement of purpose
– What the policy is for
• Information technology security elements
– Defines information security
• Need for information technology security
– Justifies importance of information security in
the organization

Management of Information Security, 3rd ed.

 Example ESIP Components
(cont’d.)
• Information technology security
responsibilities and roles
– Defines organizational structure
• Reference to other information technology
standards and guidelines

Management of Information Security, 3rd ed.

 Issue-Specific Security Policy
(ISSP)
• Provides detailed, targeted guidance
– Instructs the organization in secure use of a
technology systems
– Begins with introduction to fundamental
technological philosophy of the organization
• Protects organization from inefficiency and
ambiguity
– Documents how the technology-based system
is controlled

Management of Information Security, 3rd ed.

 Issue-Specific Security Policy
(cont’d.)
• Protects organization from inefficiency and
ambiguity (cont’d.)
– Identifies the processes and authorities that
provide this control
• Indemnifies the organization against liability
for an employee’s inappropriate or illegal
system use

Management of Information Security, 3rd ed.

 Issue-Specific Security Policy
(cont’d.)
• Every organization’s ISSP should:
– Address specific technology-based systems
– Require frequent updates
– Contain an issue statement on the
organization’s position on an issue

Management of Information Security, 3rd ed.

 Issue-Specific Security Policy
(cont’d.)
• ISSP topics
– Email and internet use
– Minimum system configurations
– Prohibitions against hacking
– Home use of company-owned computer
equipment
– Use of personal equipment on company
networks
– Use of telecommunications technologies
– Use of photocopy equipment
Management of Information Security, 3rd ed.
 Components of the ISSP
• Statement of Purpose
– Scope and applicability
– Definition of technology addressed
– Responsibilities
• Authorized Access and Usage of
Equipment
– User access
– Fair and responsible use
– Protection of privacy

Management of Information Security, 3rd ed.

 Components of the ISSP (cont’d.)
• Prohibited Usage of Equipment
– Disruptive use or misuse
– Criminal use
– Offensive or harassing materials
– Copyrighted, licensed or other intellectual
property
– Other restrictions

Management of Information Security, 3rd ed.

 Components of the ISSP (cont’d.)
• Systems management
– Management of stored materials
– Employer monitoring
– Virus protection
– Physical security
– Encryption
• Violations of policy
– Procedures for reporting violations
– Penalties for violations

Management of Information Security, 3rd ed.

 Components of the ISSP (cont’d.)
• Policy review and modification
– Scheduled review of policy and procedures for
modification
• Limitations of liability
– Statements of liability or disclaimers

Management of Information Security, 3rd ed.

 Implementing the ISSP
• Common approaches
– Several independent ISSP documents
– A single comprehensive ISSP document
– A modular ISSP document that unifies policy
creation and administration
• The recommended approach is the
modular policy
– Provides a balance between issue orientation
and policy management

Management of Information Security, 3rd ed.

 System-Specific Security Policy
• System-specific security policies (SysSPs)
frequently do not look like other types of
policy
– They may function as standards or procedures
to be used when configuring or maintaining
systems
• SysSPs can be separated into
– Management guidance
– Technical specifications
– Or combined in a single policy document
Management of Information Security, 3rd ed.
 Managerial Guidance SysSPs
• Created by management to guide the
implementation and configuration of
technology
• Applies to any technology that affects the
confidentiality, integrity or availability of
information
• Informs technologists of management
intent

Management of Information Security, 3rd ed.

 Technical Specifications SysSPs
• System administrators’ directions on
implementing managerial policy
• Each type of equipment has its own type of
policies
• General methods of implementing technical
controls
– Access control lists
– Configuration rules

Management of Information Security, 3rd ed.