1 / 23

Security Policies and Procedures : Principles and Practices

Security Policies and Procedures : Principles and Practices. Chapter 1: Definition of Policy. Objectives. Describe the cultural significance of policies Recognize the role policy plays in government Evaluate the role policy plays in corporate culture

frieda
Télécharger la présentation

Security Policies and Procedures : Principles and Practices

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security Policies and Procedures: Principles and Practices Chapter 1: Definition of Policy

  2. Objectives • Describe the cultural significance of policies • Recognize the role policy plays in government • Evaluate the role policy plays in corporate culture • Identify how federal regulations apply to corporations and other organizations • Apply the psychology of policy • Introduce a policy successfully • Achieve acceptance of policy • Enforce a policy

  3. Introduction • Policy: “a definite course of action or procedure selected from among alternatives and in light of given conditions to guide and determine present and future decisions”** (** per www.merriamwebster.com)

  4. Defining Policy • Information Security Policy: a document that states how an organization plans to protect its tangible and intangible information assets • Components of an Information Security Policy include: • Acceptable Internet Use Policy • Non-Disclosure Agreement • Password Policy • Backup Policy

  5. Defining Policy Cont. • What is an Information Asset? • Any information item, regardless of storage format, that represents value to the organization, is considered an Information Asset

  6. Defining Policy Cont. • Tangible vs. Intangible Information Assets: • Tangible information assets are assets that are physical in nature, that can be “touched” • Tangible information assets include: • Facilities • Hardware • Software

  7. Defining Policy Cont. • Tangible vs. Intangible Information Assets: • Intangible information assets are defined as the business-critical body of information a company requires to conduct business • Intangible information assets include: • Reputation • Intellectual property • Intellectual capital

  8. Defining Policy Cont. • The goal of information security policies is to protect information –to protect: • The company • The company’s partners • The company’s clients

  9. Defining Policy Cont. • Information exists in three different states: • Where and how it is stored • Where and how it is processed • Where and how it is transmitted

  10. Defining Policy Cont. • Information resides in three different places: • Information Technology Systems • Paper • Human Brain

  11. Looking at Policy through the Ages • The role of the Torah and Bible as written policy • 3000-year old documents include business rules still in practice today • First documented attempt at creating a code to preserve order

  12. Looking at Policy through the Ages Cont. • The US Constitution as a Policy Revolution • A collection of articles and amendments that codify all aspects of American government along with citizens’ rights and responsibilities • A rule set with a built-in mechanism for change

  13. Defining the Role of Policy in Government • Why do governments use policies? • To specify actions, decisions & responses for specific situations • A policy for each government area • Areas include, among many others, Foreign Policy, Education and Health Care

  14. Defining the Role of Policy in Government Cont. • Laws in relationship to policy • Laws define what may or may not be done in a given society, along with the consequences of acting against the agreed upon legislative written text • Not unlike policies, laws must be accepted, enforced, fair, impartial and consistent • There is a clear parallel between governments and organizations in their need for policies

  15. Defining the Role of Policy in Corporate Culture • What is a corporate culture? • A combination of shared set of attitudes, values, goals and practices that characterize an organization

  16. Defining the Role of Policy in Corporate Culture Cont. • How do policies contribute to the success of an organization? • By supporting the defined goal of the organization • By providing consistency in the services, products and culture within the organization • By protecting the assets of the organization

  17. Consistency in Services, Products, and Corporate Culture • Policies must be fair and consistent. The same violation should yield the same punishment, regardless of who the employee is and what their function is • Impact of inconsistent policies and policy enforcement: • is negative on employee morale • can lead to legal repercussions

  18. Complying with Government Policies • It is the responsibility of all businesses to understand what federal mandate they may fall under • Examples of federal mandates include: • HIPAA • GLBA • If necessary, organizations should retain expert, third-party assistance to assure compliance

  19. Understanding the Psychology of Policy • Policies should be implemented in a way that promotes acceptance • People at all levels of the organization should be involved in the creation of the policy • Key employees must be identified • Significant roles must be identified • Change Drivers must be monitored and integrated in the policy-making process

  20. Introducing a Policy • Two action items: • Getting approval from senior management • Introducing the actual policy to the whole organization

  21. Achieving Acceptance of the Policy • True Leadership starts at the top • Do as I do vs. do as I say • Repetition is the mother of all learning • Regularly remind employees of security-centric topics • Keep the policy updated • Some obsolete content may lead to complete disregard of the whole document

  22. Enforcing Information Security Policies • A lack of policy enforcement leads to a loss of credibility • Behavioral Policies: • Maintain consistency and fairness in enforcing policies • Technical Policies • Use built-in and 3rd-party solutions to automate policy enforcement

  23. Summary Policies apply to governments as well as to business organizations. When people are grouped to achieve a common goal, policies provide a framework that guides the company and protects the assets of that company. The policy must follow creation, distribution and maintenance guidelines to insure its acceptance and ultimately its success in protecting the organization, its partners, and its clients.

More Related