Information Security Policy - PowerPoint PPT Presentation

1 / 13
About This Presentation
Title:

Information Security Policy

Description:

'Information security policies underpin the security and well ... maintaining, complying, and improving information security management within an organization. ... – PowerPoint PPT presentation

Number of Views:47
Avg rating:3.0/5.0
Slides: 14
Provided by: cla591
Category:

less

Transcript and Presenter's Notes

Title: Information Security Policy


1
Information Security Policy
  • Information security policies underpin the
    security and well being of information
    resources.. they are the foundation, the bottom
    line, of information security within an
    organization

By Clark Brown
2
ISP Defined
  • An ISP is a guide which establishes general
    principles for initiating, implementing,
    maintaining, complying, and improving information
    security management within an organization.
  • An ISP is generically governed by two
    International Standards Organization (ISO)
    documents ISO 17799 2005 and ISO 27001 and
    HIPPA
  • ISO 17799 Code of Practice
  • ISO 27001/BS7799 Information security management
    systems (measurable) requirements specification
    (Organization Certification)
  • Health Insurance Portability and Accountability
    Act
  • Only in the case of Medical and/or Health
    related systems

3
ISO HIPPA Compliance
  • Compliance with this internationally recognized
    standard is growing in importance.
  • When considering your position with respect to
    ISO and HIPPA
  • Basic awareness of the standard

4
INFORMATION SECURITY POLICIES
  • The first consideration revolves around the
    content and structure of the policies themselves
  • Cost effectivness
  • When adopting, or when simply redeveloping
    existing polices, a number of less direct factors
    should also be taken on board - how will the
    policies sit with ISO17799 for instance

5
POLICY IMPLEMENTATION
  • Having a security policy document in itself is
    not enough....
  • The fundamental question
  • The most dynamic and direct method is to deliver
    the policies directly to the users desktop.

6
SECURITY POLICIES RISK
  • Relationship between information security
    policies and risk analysis
  • The bottom line'...
  • This is the bedrock of risk analysis

7
SCOPE LEGISLATION
  • When embracing security policies, it is important
    to consider their objectives, scope and coverage.
    Awareness is another often neglected area.
  • LEGISLATION Comprehensive information security
    policies
  • Legislation itself is often regarded are a form
    of policy
  • From a cost effectiveness perspective

8
What Should My Policy Cover?
  • Scope
  • Terms and definitions
  • Security Policy
  • Information Security Policy
  • Security Organization
  • Information Security Infrastructure
  • Security and Third Party Access
  • Outsourcing
  • Asset Classification and Control
  • Accountability for assets
  • Information Classification
  • Personnel Security
  • Security in Job Definition and Resourcing
  • User Training
  • Access Control Business Requirement for Access
    Control User Access Management User
    Responsibilities Network Access Control
    Operating System Access Control Application
    Access Management Monitoring System Access and
    Use Mobile Computing and Telenetworking
  • System Development and Maintenance Security
    Requirements of Systems Security in Application
    Systems Cryptographic Controls Security of
    System Files Security in Development and Support
    Processes
  • Business Continuity Management Aspects of
    Business Continuity Management
  • Compliance Compliance with Legal Requirements
    Reviews of Security Policy and Technical
    Compliance System Audit Considerations

Reference http//iso-17799.safemode.org
9
ISP Scope
  • Everything in the Garden?
  • The answer to this question lies with you as the
    manager.
  • How big?
  • How many?
  • How dispersed?
  • How much will it cost?
  • What could be lost?
  • How many resources do I have?
  • What governs my compliance?
  • What directives must I consider?

What happens if I do nothing?
10
Security Manager
  • A good start
  • A great outline
  • A good reference over time
  • On going user training
  • Provides a constant picture of where you are
  • Source of communication to the organization
  • Establishes budget expectations

11
Hacker
  • If he knows your policies he knows your
    philosophy with regard to security.
  • Derive your vulnerabilities from your policy
    philosophy.
  • Decide if its worth his time based on your level
    of detail

12
References
  • http//www.information-security-policies-and-stand
    ards.com/
  • http//www.informationshield.com/ispmemain.htm?c1
    sesourcegooglekwpolicyGroup (1350 pre-written
    policies) They arent free but if you are serious
    about having a security policy and dont know
    where to start, this is a good source.
  • http//iso-17799.safemode.org
  • Htto//www.sans.org
  • http//www.findwhitepapers.com/index.php?optionco
    m_categoryreporttaskviewlistid6cat79gclidC
    JrQ_cC1m4oCFQ6kWAoddmxjmw

13
Questions?
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Information Security Policy" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!