によって Wirda munira 1年前.
202
CHAPTER 4: INFORMATION SECURITY POLICY by Hafisha Amila
CHAPTER 4: INFORMATION SECURITY POLICY by Hafisha Amila
Guidelines for Effective Policy
Management processes are established to perpetuate the
policy within the organization
A senior manager or executive at the appropriate level and
the organization’s legal counsel review and formally
approves the document
The policy is designed and written
Policy
Bull’s-eye model layers
Applications
System
Network
Policies
essential foundation of an effective
information security program
System-Specific Security Policies (SysSPs)
Combination SysSPs
Configuration Rules
Access Control Lists
•Read
•Write
•Execute
•Delete
methods of implementing
•Configuration rules
•Access control lists
Applies to any technology that affects the
confidentiality, integrity, or availability of information
Issue-Specific Security Policy (ISSP)
provides detailed, targeted guidance to instruct all
members of the organization in the use of a resource
organization’s ISSPs should
Contain a statement on the organization’s position on an issue
Require frequent updates
Address specific technology-based systems
fair and
responsible use policies
Enterprise Information Security Policy (EISP)
should not contradict the organizational
mission statement
guides the development,
implementation, and management requirements of the
InfoSec program
Essential foundation of an
effective information security program
