security policies and procedures : principles and practices
DESCRIPTION
Security Policies and Procedures : Principles and Practices. Chapter 1: Definition of Policy. Objectives. Describe the cultural significance of policies Recognize the role policy plays in government Evaluate the role policy plays in corporate culture - PowerPoint PPT PresentationTRANSCRIPT
Security Policies and Procedures: Principles and Practices
Chapter 1: Definition of Policy
2
Objectives
Describe the cultural significance of policies Recognize the role policy plays in government Evaluate the role policy plays in corporate culture Identify how federal regulations apply to
corporations and other organizations Apply the psychology of policy Introduce a policy successfully Achieve acceptance of policy Enforce a policy
3
Introduction
Policy: “a definite course of action or procedure selected from among alternatives and in light of given conditions to guide and determine present and future decisions”**
(** per www.merriamwebster.com)
4
Information Security Policy: a document that states how an organization plans to protect its tangible and intangible information assets Components of an Information Security Policy
include: Acceptable Internet Use Policy Non-Disclosure Agreement Password Policy Backup Policy
Defining Policy
5
Defining Policy Cont.
What is an Information Asset? Any information item, regardless of storage
format, that represents value to the organization, is considered an Information Asset
6
Defining Policy Cont.
Tangible vs. Intangible Information Assets: Tangible information assets are assets that are
physical in nature, that can be “touched” Tangible information assets include:
Facilities Hardware Software
7
Defining Policy Cont.
Tangible vs. Intangible Information Assets: Intangible information assets are defined as the
business-critical body of information a company requires to conduct business
Intangible information assets include: Reputation Intellectual property Intellectual capital
8
Defining Policy Cont.
The goal of information security policies is to protect information –to protect: The company The company’s partners The company’s clients
9
Defining Policy Cont.
Information exists in three different states: Where and how it is stored Where and how it is processed Where and how it is transmitted
10
Defining Policy Cont.
Information resides in three different places: Information Technology Systems Paper Human Brain
11
Looking at Policy through the Ages
The role of the Torah and Bible as written policy
3000-year old documents include business rules still in practice today
First documented attempt at creating a code to preserve order
12
Looking at Policy through the Ages Cont.
The US Constitution as a Policy Revolution A collection of articles and amendments that codify all
aspects of American government along with citizens’ rights and responsibilities
A rule set with a built-in mechanism for change
13
Defining the Role of Policy in Government
Why do governments use policies? To specify actions, decisions & responses for specific
situations A policy for each government area
Areas include, among many others, Foreign Policy, Education and Health Care
14
Defining the Role of Policy in Government Cont. Laws in relationship to policy
Laws define what may or may not be done in a given society, along with the consequences of acting against the agreed upon legislative written text
Not unlike policies, laws must be accepted, enforced, fair, impartial and consistent
There is a clear parallel between governments and organizations in their need for policies
15
Defining the Role of Policy in Corporate Culture
What is a corporate culture? A combination of shared set of attitudes, values, goals
and practices that characterize an organization
16
Defining the Role of Policy in Corporate Culture Cont.
How do policies contribute to the success of an organization? By supporting the defined goal of the organization By providing consistency in the services, products and
culture within the organization By protecting the assets of the organization
17
Consistency in Services, Products, and Corporate Culture
Policies must be fair and consistent. The same violation should yield the same punishment, regardless of who the employee is and what their function is
Impact of inconsistent policies and policy enforcement: is negative on employee morale can lead to legal repercussions
18
Complying with Government Policies
It is the responsibility of all businesses to understand what federal mandate they may fall under
Examples of federal mandates include: HIPAA GLBA
If necessary, organizations should retain expert, third-party assistance to assure compliance
19
Understanding the Psychology of Policy
Policies should be implemented in a way that promotes acceptance
People at all levels of the organization should be involved in the creation of the policy Key employees must be identified Significant roles must be identified
Change Drivers must be monitored and integrated in the policy-making process
20
Introducing a Policy
Two action items: Getting approval from senior management Introducing the actual policy to the whole
organization
21
Achieving Acceptance of the Policy
True Leadership starts at the top Do as I do vs. do as I say
Repetition is the mother of all learning Regularly remind employees of security-centric topics
Keep the policy updated Some obsolete content may lead to complete disregard
of the whole document
22
Enforcing Information Security Policies
A lack of policy enforcement leads to a loss of credibility
Behavioral Policies: Maintain consistency and fairness in enforcing policies
Technical Policies Use built-in and 3rd-party solutions to automate policy
enforcement
23
SummaryPolicies apply to governments as well as to business organizations. When people are grouped to achieve a common goal, policies provide a framework that guides the company and protects the assets of that company. The policy must follow creation, distribution and maintenance guidelines to insure its acceptance and ultimately its success in protecting the organization, its partners, and its clients.