320 likes | 600 Views
Security Policies and Procedures : Principles and Practices. Chapter 1: Definition of Policy. Objectives. Describe the cultural significance of policies Recognize the role policy plays in government Evaluate the role policy plays in corporate culture
E N D
Security Policies and Procedures: Principles and Practices Chapter 1: Definition of Policy
Objectives • Describe the cultural significance of policies • Recognize the role policy plays in government • Evaluate the role policy plays in corporate culture • Identify how federal regulations apply to corporations and other organizations • Apply the psychology of policy • Introduce a policy successfully • Achieve acceptance of policy • Enforce a policy
Introduction • Policy: “a definite course of action or procedure selected from among alternatives and in light of given conditions to guide and determine present and future decisions”** (** per www.merriamwebster.com)
Defining Policy • Information Security Policy: a document that states how an organization plans to protect its tangible and intangible information assets • Components of an Information Security Policy include: • Acceptable Internet Use Policy • Non-Disclosure Agreement • Password Policy • Backup Policy
Defining Policy Cont. • What is an Information Asset? • Any information item, regardless of storage format, that represents value to the organization, is considered an Information Asset
Defining Policy Cont. • Tangible vs. Intangible Information Assets: • Tangible information assets are assets that are physical in nature, that can be “touched” • Tangible information assets include: • Facilities • Hardware • Software
Defining Policy Cont. • Tangible vs. Intangible Information Assets: • Intangible information assets are defined as the business-critical body of information a company requires to conduct business • Intangible information assets include: • Reputation • Intellectual property • Intellectual capital
Defining Policy Cont. • The goal of information security policies is to protect information –to protect: • The company • The company’s partners • The company’s clients
Defining Policy Cont. • Information exists in three different states: • Where and how it is stored • Where and how it is processed • Where and how it is transmitted
Defining Policy Cont. • Information resides in three different places: • Information Technology Systems • Paper • Human Brain
Looking at Policy through the Ages • The role of the Torah and Bible as written policy • 3000-year old documents include business rules still in practice today • First documented attempt at creating a code to preserve order
Looking at Policy through the Ages Cont. • The US Constitution as a Policy Revolution • A collection of articles and amendments that codify all aspects of American government along with citizens’ rights and responsibilities • A rule set with a built-in mechanism for change
Defining the Role of Policy in Government • Why do governments use policies? • To specify actions, decisions & responses for specific situations • A policy for each government area • Areas include, among many others, Foreign Policy, Education and Health Care
Defining the Role of Policy in Government Cont. • Laws in relationship to policy • Laws define what may or may not be done in a given society, along with the consequences of acting against the agreed upon legislative written text • Not unlike policies, laws must be accepted, enforced, fair, impartial and consistent • There is a clear parallel between governments and organizations in their need for policies
Defining the Role of Policy in Corporate Culture • What is a corporate culture? • A combination of shared set of attitudes, values, goals and practices that characterize an organization
Defining the Role of Policy in Corporate Culture Cont. • How do policies contribute to the success of an organization? • By supporting the defined goal of the organization • By providing consistency in the services, products and culture within the organization • By protecting the assets of the organization
Consistency in Services, Products, and Corporate Culture • Policies must be fair and consistent. The same violation should yield the same punishment, regardless of who the employee is and what their function is • Impact of inconsistent policies and policy enforcement: • is negative on employee morale • can lead to legal repercussions
Complying with Government Policies • It is the responsibility of all businesses to understand what federal mandate they may fall under • Examples of federal mandates include: • HIPAA • GLBA • If necessary, organizations should retain expert, third-party assistance to assure compliance
Understanding the Psychology of Policy • Policies should be implemented in a way that promotes acceptance • People at all levels of the organization should be involved in the creation of the policy • Key employees must be identified • Significant roles must be identified • Change Drivers must be monitored and integrated in the policy-making process
Introducing a Policy • Two action items: • Getting approval from senior management • Introducing the actual policy to the whole organization
Achieving Acceptance of the Policy • True Leadership starts at the top • Do as I do vs. do as I say • Repetition is the mother of all learning • Regularly remind employees of security-centric topics • Keep the policy updated • Some obsolete content may lead to complete disregard of the whole document
Enforcing Information Security Policies • A lack of policy enforcement leads to a loss of credibility • Behavioral Policies: • Maintain consistency and fairness in enforcing policies • Technical Policies • Use built-in and 3rd-party solutions to automate policy enforcement
Summary Policies apply to governments as well as to business organizations. When people are grouped to achieve a common goal, policies provide a framework that guides the company and protects the assets of that company. The policy must follow creation, distribution and maintenance guidelines to insure its acceptance and ultimately its success in protecting the organization, its partners, and its clients.