Developing Security Policies and Procedures - PowerPoint PPT Presentation

1 / 14
About This Presentation
Title:

Developing Security Policies and Procedures

Description:

Responsibilities - who is responsible for what. Who do you contact if you have questions. ... Compliance - who is responsible for enforcing the policy. What ... – PowerPoint PPT presentation

Number of Views:71
Avg rating:3.0/5.0
Slides: 15
Provided by: norma129
Category:

less

Transcript and Presenter's Notes

Title: Developing Security Policies and Procedures


1
Developing Security Policies and Procedures
  • Norma Jean Schaefer
  • ITC/ISO
  • Kansas Bureau of Investigation

2
Ooooo policies. Yuck!
  • Policies are administration directives.
  • Policies set goals and assign responsibilities.
  • To users, policies are a pain.

3
Types of policies
  • Program policies - high level
  • System-specific policies - rules to protect
    systems and data
  • Issue-specific policies - loss of equipment,
    obtaining access, etc.

4
Anatomy of policies
  • Purpose statement
  • Scope - who and what the policy effects.
  • Responsibilities - who is responsible for what.
  • Who do you contact if you have questions.
  • Compliance - who is responsible for enforcing the
    policy. What the disciplinary action will be.

5
Policies need to be...
  • supported by administration.
  • written by a team.
  • reviewed by the legal division.
  • customizable and allow user input.
  • enforced automatically.

6
Tips on writing policies
  • Detailed policies are clearer but create an
    administrative burden and users wont read them.
  • Write the full document distribute the short
    version.
  • Make policies available in paper and on an
    Intranet.

7
Tips on writing policies
  • Dont reinvent the wheel.
  • Review policies annually.
  • Have new employees sign them before obtaining
    access to systems.

8
Training
  • Provide awareness training on policies.
  • Dont threaten your users/Enlist your users.
  • Make them ISOs.
  • Make posters.
  • Give away prizes.

9
Some issue-specific security policies
  • Administrator
  • Internet and E-mail Use
  • PC and Network
  • Vendor
  • Network Connection

10
Procedures
  • Follow the same process with procedures.
  • Do not distribute procedures except on a need to
    know basis.
  • If procedures need to be distributed to users,
    mark classified and explain to users why.

11
Positive attitude
  • Keep the delivery of policies positive.
  • Give praise.
  • Help users be successful.

12
Your reward
  • Safer network.
  • More productive work force.
  • More up-time.
  • More time to do other tasks.

13
Reference
  • Practices for Protecting Information Resource
    Assets
  • Texas Department of Information Resources, Austin
    TX, March 2000

14
  • The security blueprint needs to be enforced and
    equality/fairness has nothing to do with it.
    Computer attacks are not fair to anyone. They are
    anything but equal.
  • -Defending your Digital Assets, Randall K.
    Nichols, Daniel J. Ryan and Julie J.C.H. Ryan
Write a Comment
User Comments (0)
About PowerShow.com