Unit Outline Information Security Policy

1. Unit OutlineInformation Security Policy Module 1: Purpose Module 2: Life Cycle Module 3: Terminology Module 4: Structure  Module 5: Summary

2. Module 5Summary

3. SummaryInformation Security Policy • Information security policies are meant to guide prevention of liability and harmful impacts to confidentiality, integrity, or availability of data (proprietary or confidential) and business processes. • It has a life cycle which includes risk analysis, creation, dissemination, enforcement, monitoring, and evaluation and also considers organizational processes. • An information security policy is made up of high-level policies (security program policy and acceptable use guidelines) as well as low-level policies (issue-specific and system-specific).

4. Suggested ReadingInformation Security Policy • Barman, S. (2002). Writing Information Security Policies. Boston, MA: New Riders. • Bruhn, M., & Peters, R. (2003). Policy Development for Information Security in M. Luker and R. Peters (eds.) Computer and Network Security in Higher Education, Josey-Bass, Inc. • Guel, M.D. (2001). A Short Primer for Developing Security Policies. SANS Institute. • Peltier, T.R. (2002). Information Security Policies, Procedures, and Standards: Guidelines for Effective Information Security Management. Boca Raton, FL: Auerbach Publications. • Wood, C.C. (2002). Information Security Policies Made Easy, 9th edition. Houston, TX: PentaSafe Security Technologies. • Zhang, Y., Liu, X., & Wang W. (2005). Policy Lifecycle Model for Systems Management. IT Pro, 50-54.

5. AcknowledgementsGrants and Personnel • Support for this work has been provided through the following grants • NSF 0210379 • FIPSE P116B020477 • Damira Pon, from the Center of Information Forensics and Assurance contributed extensively by reviewing and editing the material • Robert Bangert-Drowns from the School of Education provided extensive review of the material from a pedagogical view.