1 / 12

Information Assurance Policy and Management

Information Assurance Policy and Management. (Original notes by Sheldon Durrant and Timothy Summers). Purpose of the Policy. Recognizing sensitive information assets Clarifying security responsibilities Promoting awareness for existing employees Guiding new employees.

karries
Download Presentation

Information Assurance Policy and Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Information Assurance Policy and Management (Original notes by Sheldon Durrant and Timothy Summers)

  2. Purpose of the Policy • Recognizing sensitive information assets • Clarifying security responsibilities • Promoting awareness for existing employees • Guiding new employees

  3. Management Goals for Policy • There are typically three to five goals, such as: • Promote efficient business operation. • Facilitate sharing of information throughout the organization. • Safeguard business and personal information. • Ensure that accurate information is available to support business processes. • Ensure a safe and productive place to work. • Comply with applicable laws and regulations.

  4. Role of Management in Policy • Owners • “Each piece of computing equipment is owned by someone, and the owner may not be a system user. An owner provides the equipment to users for a purpose, such as to further education, support commerce, or enhance productivity. A security policy should also reflect the expectations and needs of the owners.”

  5. Characteristics of Good Policy • Be easy to understand • Be applicable • Be doable • Be enforceable • Be phased in • Be proactive • Avoid absolutes (allow for exceptions) • Meet business objectives

  6. Policy Enforcement • Policies are meaningless if not enforced. • Steps organization must take: • Collect information • Emphasize training as part of routine operations • Ensure that policies are distributed

  7. Monitoring • People do not like to feel as if they are being watched. • Monitoring may lead to employee mistrust and/or legal issues. • All users must be made aware of the organization’s right to monitor

  8. Remedies • The organization has the right to control the environment in which the system operates. • Remedies are penalties to be taken for breaking rules. • Remedies should also include clear definitions in the disciplinary escalation process.

  9. Auditing • Delegation of auditing responsibilities should be done by management. • The policy should state • who is responsible for capturing data for auditing purposes • how such data should be handled and stored • who should have access to the data.

  10. Policy Review • Security policies should grow and change along with the organization. • Policies should state how often the policies will be reviewed and/or updated. • Provisions should be provided so that sudden or unexpected changes in the policy can be adopted. This might come in the form of waivers. – Barman “Writing Information Security Policies”

  11. Process of Policy Reviews • Policy Reviews should include information gained from audits and risk assessments. • Management should make it a point to be involved in the policy review to ensure that any changes in policy are in line with the goals, vision and direction of the organization. • Policy Reviews should include everyone who was responsible for developing them in the first place, including management, administrators, security staff, and human resources.

  12. Books Used

More Related