Which section of the ISSP policy statement focuses on the users relationship to systems management?

CST 233 INFORMATION SECURITY AND ASSURANCE

ASSIGNMENT 2 WHITEPAPER TYPES OF SECURITY POLICIES : EISP, ISSP AND SysSP

PREPARED BY: MUHAMAD AMIRUL BIN MAT HUSSAIN 106711

LECTURER: DR AMAN JANTAN

2011/2012

1

Table of Contents Introduction.3 Definitions of Policy4 Purpose of Policy4-5 Types of Security Policy6 Enterprise Information Security Policy (EISP) ...6-8 Issue-Specific Security Policy (ISSP)...8-9 System-Specific Policy (SysSP) ...10 Case Study..........11-15 Conclusion..16 References..17

2

1. Introduction The term of security policy and the importance of information security in management or business are still not recognized by many people in an organization, company and others. Management from all communities of interest, including general staff, information technology, and information technology, should make policies for their organization. Policies direct how issues should be addressed and technologies should be used. For a large company or organization, developing a single policy document that speaks to all types of users within the organization and addresses all the information security issues necessary maybe difficult. It should be noted that there is no single method for developing a security policy or policies. Many factors must be taken into account, including audience type and company business and size. This paper then will addresses the three types of security policy that must define by each management of company or organization that are Enterprise Information Security Policies(EISP), Issue-Specific Security

Policies(ISSP), and Systems-Specific Security Policies(SysSP).

3

2. Definitions of Policy In discussions of computer security, the term policy has more than one meaning. As noted in a Office of Technology Assessment report, Information Security and Privacy in Network Environments (1994), "Security Policy refers here to the statements made by organizations, corporations, and agencies to establish overall policy on information access and safeguards. Another meaning of policy comes from the book Principles of Information Security 4th Edition (2012) and refers to the plan or course of action that conveys instructions from an organizations senior management to those who make decisions, take actions, and perform other duties. Policy is senior management's directives to create a computer security program, establish its goals, and assign responsibilities. The term policy is also used to refer to the specific security rules for particular systems. Additionally, policy may refer to entirely different matters, such as the specific managerial decisions setting an organization's e-mail privacy policy, use of the internet policy, and others.

3. Purpose of Policy A security policy should fulfill many purposes. The basic purposes of policy are it should: Protect people and information Set the rules for expected behavior by users, system administrators, management, and security personnel Authorize security personnel to monitor, probe, and investigate Define and authorize the consequences of violation Define the company consensus baseline stance on security

4

Help minimize risk Help track compliance with regulations and legislation

Information security policies provide a framework for best practice that can be followed by all employees. They help to ensure risk is minimized and that any security incidents are effectively responded to. Besides, information security policies will also help turn staff into participants in the companys efforts to secure its information assets, and the process of developing these policies will help to define a companys information assets. Information security policy defines the organizations attitude to information, and announces internally and externally that information is an asset, the property of the organization, and is to be protected from unauthorized access, modification, disclosure, and destruction.

5

4. Types of Security Policy 4.1 Enterprise Information Security Policy (EISP) A management official, normally the head of the organization or the senior administration official, issues program policy to establish (or restructure) the organization's computer security program and its basic structure. The EISP is based on and directly supports the mission, vision, and direction of the organization. This high-level policy defines the purpose of the program and its scope within the organization, assigns responsibilities (to the computer security organization) for direct program implementation, as well as other responsibilities to related offices (such as the Information Resources Management [IRM] organization) and addresses compliance issues. The EISP sets organizational strategic directions for security and assigns resources for its implementation. The good EISP should address the following components : Purpose : Program policy normally includes a statement describing why the program is being established. This may include defining the goals of the program. Securityrelated needs, such as integrity, availability, and confidentiality, can form the basis of organizational goals established in policy. For instance, in an organization responsible for maintaining large mission-critical databases, reduction in errors, data loss, data corruption, and recovery might be specifically stressed. In an organization responsible for maintaining confidential personal data, however, goals might emphasize stronger protection against unauthorized disclosure.

6

Scope : Program policy should be clear as to which resources-including facilities, hardware, and software, information, and personnel - the computer security program covers. In many cases, the program will encompass all systems and organizational personnel, but this is not always true. In some instances, it may be appropriate for an organization's computer security program to be more limited in scope. Responsibilities : Once the computer security program is established, its management is normally assigned to either a newly-created or existing office. The responsibilities of officials and offices throughout the organization also need to be addressed, including line managers, applications owners, users, and the data processing. This section of the policy statement, for example, would distinguish between the responsibilities of computer services providers and those of the managers of applications using the provided services. The policy could also establish operational security offices for major systems, particularly those at high risk or most critical to organizational operations. It also can serve as the basis for establishing employee accountability. Compliance : The EISP typically will address two compliance issues: 1. General compliance to ensure meeting the requirements to establish a program and the responsibilities assigned therein to various organizational components. Often an oversight office. Example, the Inspector General is assigned responsibility for monitoring compliance, including how well the organization is implementing management's priorities for the program.

7

2. The use of specified penalties and disciplinary actions. Since the security policy is a high-level document, specific penalties for various infractions are normally not detailed here; instead, the policy may authorize the creation of compliance structures that include violations and specific disciplinary actions.

4.2 Issue-Specific Security Policy (ISSP) Different with EISP that is intended to address the broad organization wide computer security program, issue-specific security policy (ISSP), are developed to focus on areas of current relevance and concern to an organization. Management may find it appropriate, for example, to issue a policy on specific minimum configurations of computers to defend against worms and viruses or the use of the internet. A policy could also be issued, for example, on prohibitions against hacking and testing organization security controls. ISSP may also be appropriate when new issues arise, such as when implementing a recently passed law requiring additional protection of particular information. EISP is usually broad enough that it does not require much modification over time, whereas ISSP are likely to require more frequent revision as changes in technology and related factors take place. Like as EISP that have their own components, the good ISSP also need to includes these components :

8

Components Statement of Policy

Description Define the scope and applicability of the policy, definition of the technology

addressed and also the responsibilities of the person that incharge or included with this policy.

Authorized Equipment

Access

and

Usage

of Exermine

user

access,

fair

and

responsible use and also explain the protection of privacy.

Prohibited Usage of Equipment

Define and explain the disruptive or misuse, offensive or harassing materials and other restrictions.

Systems Management

Focuses on the users relationship to systems management. Specific rules from management include regulating the use of email, storage of materials, virus protection, encryption. physical security and

Violations of Policy

Policy statement that should contain the procedures for reporting violations and penalties for violations.

Limitations of Liability

The policy that state the statements of liability, for example the company will not protect the employee who caught violate the company policy.

9

4.3 Systems-Specific Policy (SysSP) While the ISSP are formalized as written documents readily identifiable as policy, systems-specific policy (SysSP) have a different look. Its often function a

What are the components of ISSP?

In which phase of the development of an InfoSec policy Must a plan to distribute the policies be developed?

What is ISSP in information security?

Which of the following security policy sets the strategic direction scope and tone for an organization's efforts?