Week 5.2 Policy Management PDF

Policy Management Policy Management Policies are living documents that must be managed. These documents must be properly distributed, read, understood, agreed to, uniformly applied, and managed. Components of Security Policies 1. Responsible Manager The policy manager is often called the Policy Administrator. Policy Administrator an employee responsible for the creation, revision, distribution, and storage of a policy in an organization. Components of Security Policies 2. Schedule of Reviews Policies can only retain their effectiveness in a changing environment if they are periodically reviewed for currency and accuracy and then modified accordingly. Policies that are not kept current can become liabilities as outdated rules are enforced (or not) and new requirements are ignored. Components of Security Policies 3. Review Procedures and Practices To facilitate policy reviews, the policy manager should implement a mechanism by which people can comfortably make recommendations for revisions, whether via e-mail, office mail, or an anonymous drop box. Once the policy has come up for review, all comments should be examined, and management-approved improvements should be implemented. Components of Security Policies 4. Policy and Revision Date The simple action of dating the policy is often omitted. When policies are drafted and published without dates, confusion can arise. Some policies may also need a sunset clause that indicates their expiration date, particularly if the policies govern information use in short term business association. sunset clause a component of policy or law that defines an expected end date for its applicability. Components of Security Policies Automated Policy Management This type of software was developed in response to the needs of information security practitioners. Automation can streamline the repetitive steps of writing policy, tracking the workflow of policy approvals, publishing policy once it is written and approved and tracking when employees have read the policy. The Security Blueprint The Information Security Blueprint Information Security Blueprint Information Security Framework The basis for all security program elements; a An outline or structure of the organization’s scalable, upgradeable, comprehensive plan to overall information security strategy that is used meet the organization’s current and future as a road map for planned changes to its information security needs. information security environment; often developed as an adaptation or adoption of a popular methodology, like NIST’s security approach or the ISO 27000 series. The Information Security Blueprint An established information security framework, often popular among other organizations and backed by a recognized security agency, with Information Security Model exemplar details an organization may want to emulate in creating its own framework and blueprint. Design of Security Architecture The Sphere of Security measures how well you're protected against intruders. Spheres of Sphere of Use -refers to an area where a person can use something safely or freely. Security Sphere of Protection - designates an area in which a person is legally permitted to protect another person from any dangers that might exist there. Sphere of Safety- This sphere requires attentiveness for overhead hazards, underground dangers, and surrounding risks Key Differences 1. Managerial Controls Information security safeguards that focus on administrative planning, organizing, leading, and controlling, and that are designed by strategic planners and implemented by the Level of organization’s security administration. Control These safeguards include governance and risk management. 2. Operational Controls Information security safeguards focusing on lower-level planning that deals with the functionality of the organization’s security. These safeguards include disaster recovery and incident response planning. 3. Technical Controls Information security safeguards that focus on the application of modern technologies, systems, and processes to protect Level of information assets. Control These safeguards include firewalls, virtual private networks, and IDPSs. Defense in Depth A strategy for the protection of information assets that uses multiple layers and different types of controls (managerial, Defense in operational, and technical) to provide optimal protection. Depth Redundancy Multiple types of technology that prevent the failure of one system from compromising the security of information. Defense in Depth Security Perimeter The boundary between an organization’s security efforts and the outside world or untrusted network areas. Security Domain Security An area of trust within which information assets share the Perimeter same level of protection. Each trusted network within an organization is a security domain. Communication between security domains requires evaluation of communications traffic. Security Perimeter Security Education, Training, and Awareness Program security education, training, and The purpose of SETA is to enhance Security awareness (SETA) security by doing the following: Education A managerial program designed to improve the security of information assets by providing targeted 1. Improving awareness of the need to protect knowledge, skills, and guidance for organizations. system resources. 2. Developing skills and knowledge so computer users can perform their jobs more securely. 3. Building in-depth knowledge as needed to design, implement, or operate security programs for organizations and systems. Security Training Security training provides employees with detailed information Security and hands-on instruction to prepare them to perform their duties securely. Training and Awareness Security Awareness A security awareness program is one of the least frequently implemented but most beneficial programs in an organization. A security awareness program is designed to keep information security at the forefront of users’ minds Security Education, Training and Awareness Program

Week 5.2 Policy Management PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue