Information Security for Managers
Submitted Date: January 22, 2009
Table of Contents
1. Information Security Policy (Word Count = approx. 1000) 3
1.1 Security: 3
1.2 Policy: 3
1.3 Information Security Policy and its importance: 4
1.4 Policies, Procedures, Practices, Guidelines 5
1.5 Example of good policy statement 6
1.6 Possible structure of information security policy documents 7
1.7 Strategies and techniques to implement information security policies 8
2. Developing the Security Program(Word Count = approx. 500) 9
3. Security Management Models and Practices (Word Count = approx. 500) 11
A. ISO/IEC ...view middle of the document...
It is also known as a process of making decisions with different priorities and choosing among them. Policies can be written for policical, financial, management and administrative conditions for achieving explicit goals (Wikipedia: policy, 2009). Information security policy document contains the written statements for how an organization intends to protect information.
1.3 Information Security Policy and its importance:
Information flow within a business is a foundation of its competitive edge and financial liquidity. Maintaining the competitive edge is also increasingly often related to implementing information services, which act as a way to improve information flow. However, it is important that these services be implemented in such a fashion, that the intended profits do not become losses. That is why information security policy is of such importance. Information security policy must be implemented in such a fashion, that it enables business continuity, minimizes risk, and maximizes business efficiency.
Improper development of information resources leads in consequence to data scattering and decrease in security. In order to protect the business assets, businesses develop information security policies as sets of regulations and procedures, which are intended to help maintain information confidentiality, integrity and availability.
Company’s information security policy is a document which states the company’s resources and assets which are continuously updated as technology and business requirements changes. It is one of the most important information security document. Enterprises implements information security policies for the following five major consequences (Peltier 2002) :
i. It can be benificial for gaining competitive advantage;
ii. Improves customer and shareholder confidence;
iii. Decreases governmental interference;
iv. Compliance with legislative requirements; and
v. The risk of legal liability decreases
1.4 Policies, Procedures, Practices, Guidelines
Source: (Whitman & Mattord 2007, p.112)
The figure above provides a general view for policies, standards, practices, guidelines and procedure. More specifically,
I. Policies are plan of action of the governement, business, party or political sector for influencing and determining decision, actions and other matters.
II. Standards are the more detailed statement for complying policy.
III. Practices, Guidelines and Procedures explains how the employees in an organisation comply with the policy.
For example a policy of an enterprise can be something like the employees are not allowed to view inappropirate web sites in the workplace. While implementing these policy, enterprise create standards that all the inappropirate sites are bocked and list those sites that are considered inappropirate.
1.5 Example of good policy statement
A good policy statement must have the following properties (Whitman & Mattord 2007)
i. Policy must be developed with...