MANAGEMENT of INFORMATION SECURITY_Ch04.ppt

* The Information Security Policy Made Easy Approach (ISPME) Gathering Key Reference Materials Defining A Framework For Policies Preparing A Coverage Matrix Making Critical Systems Design Decisions Structuring Review, Approval, And Enforcement Processes * * SP 800-18: Guide for Developing Security Plans The NIST Special Publication 800-18 offers another approach to policy management. Because policies are living documents that constantly change and grow. These documents must be properly disseminated (distributed, read, understood and agreed to), and managed. Good management practices for policy development and maintenance make for a more resilient organization. In order to remain current and viable, policies must have: an individual responsible for reviews, a schedule of reviews, a method for making recommendations for reviews, and an indication of policy and revision date. * * A Final Note on Policy Lest you believe that the only reason to have policies is to avoid litigation, it is important to emphasize the preventative nature of policy. Policies exist first, and foremost, to inform employees of what is and is not acceptable behavior in the organization. This is an effort to improve employee productivity, and prevent potentially embarrassing situations. If the organization could not verify that the employee was in fact properly educated on the policy, as described earlier in the chapter, the employee could sue the organization for wrongful termination. Lawsuits cost money, and the organization could be so financially devastated that it had to go out of business. Other employees lose their livelihood, and no one wins. * Components of the EISP Statement of Purpose - Answers the question “What is this policy for?” Provides a framework for the helps the reader to understand the intent of the document. Information Technology Security Elements - Defines information security. Need for Information Technology Security - Provides information on the importance o