INFORMATION ASSURANCE

AND SECURITY

PREPARED BY: CHRISA MAE S. TURLA

SECURITY POLICIES
WHAT IS POLICY?
• a course or principle of action adopted or proposed by a
government, party, business, or individual.
• Policies are rules, principles, guidelines or frameworks that are
adopted or designed by an organization to achieve long term goals.
POLICY OBJECTIVE
• Reduce risk
• Compliance with laws and regulations
• Assurance of operational continuity, information integrity and
confidentiality
WHY POLICY?
• A quality information security program begins and ends with policy.
• Policies are the least expensive means of control and often the most
difficult to implement.
• Basic rules of shaping a policy:
• Policy should never conflict with law
• Policy must be able to stand up in court if challenged
• Policy must be properly supported and administered
WHY POLICY?
• Policy are important reference documents
• For internal audits
• For the resolution of legal disputes about management’s due diligence
• Policy documents can act as clear statement of management’s intent
BULLS-EYE MODEL
BULLS-EYE MODEL IN SECURITY POLICY
• Bull’s eye model is the information security program that focuses
on role of policy.
• Policy: It is the external layer in the bull’s-eye model.
• Network: It describes the situation where threats from public networks
meet the networking infrastructure of the organization.
• Systems: It includes desktop computers, computers servers, and
manufacturing systems and systems used for process control.
• Applications: It includes all applications systems
POLICY, STANDARDS AND PRACTICES
POLICY, STANDARDS AND PRACTICES
• Policy
• A plan or course of action that influence decisions.
• For policies to be effective they must be properly disseminated, read,
understood, agreed-to, and uniformly enforced
• Policies require constant modification and maintenance
POLICY, STANDARDS AND PRACTICES
• Types of information security policy
• Enterprise information security
• Issue-specific information security policies
• System-specific policies
ENTERPRISE INFORMATION SECURITY POLICY ELEMENTS
• EISP documents should provide:
• An overview of the corporate philosophy on security
• Information about information security organization and information
security roles

• Responsibilities for security that are shared by all members of the organization
• Responsibilities for security that are unique to each role within the organization
EXAMPLE ENTERPRISE INFORMATION SECURITY
POLICY COMPONENTS
• Statement of purpose
• What the policy is for
• Information technology security elements
• Defines information security
• Need for information technology security
• Justifies importance of information security in the organization
• Information technology security responsibilities and roles
• Defines organizational structures
• Reference to other information technology standards and guidelines
ISSUE-SPECIFIC SECURITY POLICY
• Provides detailed, targeted guidance
• Instructs the organization in secure use of a technology systems
• Begins with introduction to fundamentals technological philosophy of the
organization
• Protects organization from inefficiency and ambiguity
• Documents how the technology-based system is controlled
• Identifies the process and authorities that provide this control
• Indemnifies that organization against liability for an employee’s
inappropriate or illegal system use
ISSUE-SPECIFIC SECURITY POLICY
• Every organization’s ISSP should:
• Address specific technology-based systems
• Require frequent updates
• Contain an issue statement on the organization’s position on an issue
• ISSP topics
• Email and internet use
• Minimum system configurations
• Prohibitions against hacking
• Home use of company-owned computer equipment
• Use of personal equipment on company networks
• Use of telecommunication technologies
• Use of photocopy equipment
COMPONENTS OF THE ISSP
• Statement of purpose
• Scope and applicability
• Definition of technology addressed
• Responsibilities
• Authorized access and usage of equipment
• User access
• Fair and responsible use
• Protection of privacy
COMPONENTS OF THE ISSP
• Prohibited usage of equipment
• Disruptive use or misuse
• Criminal use
• Offensive or harassing materials
• Copyrighted, licensed or other intellectual property
• Other restrictions
• System management
• Management of stored materials
• Employer monitoring
• Virus protection
• Physical security
• encryption
COMPONENTS OF THE ISSP
• Violations of policy
• Procedures for reporting violation
• Penalties for violations
• Policy review and modification
• Scheduled review of policy and procedures for modification
• Limitations of liability
• Statements of liability or disclaimers
SYSTEM-SPECIFIC SECURITY POLICY
• System-specific security policies frequently do not look like other
types of policy
• They may function as standards or procedures to be used when configuring
or maintaining systems
• System-specific security policies can be separated into
• Management guidance
• Technical specifications
• Or combined in a single policy document
MANAGERIAL GUIDANCE SYSTEM-SPECIFIC SECURITY
POLICIES
• Created by management to guide the implementation and
configuration of technology
• Applies to any technology that affects the confidentiality, integrity
or availability of information
• Informs technologists of management intent
TECHNICAL SPECIFICATIONS SYSTEM-SPECIFIC
SECURITY POLICIES
• System administrators’ directions on implementing managerial
policy
• Each type of equipment has its own of policies
• General methods of implementing technical controls
• Access control lists
• Configuration rules
TECHNICAL SPECIFICATIONS SYSTEM-SPECIFIC
SECURITY POLICIES
• Access control lists
• Include the user access list, matrices and capability tables that govern the
rights and privileges
• A similar method that specifies which subjects and objects users or group
can access is called a capability table
• These specifications are frequently complex matrices, rather than simple list
or tables
• Enable administrations to restrict access according to user, computer, time
duration or even a particular file
TECHNICAL SPECIFICATIONS SYSTEM-SPECIFIC
SECURITY POLICIES
• Access control lists regulate
• Who can use the system
• What authorized users can access
• When and where authorized users can access the system
• How authorized users can access the system
• Restricting what users can access, e.g. printers, files, communications, and
application
• Administrators set user privileges
• Read, write, create, modify, delete, compare, copy
TECHNICAL SPECIFICATIONS SYSTEM-SPECIFIC
SECURITY POLICIES
• Configuration rules
• Specific configuration codes entered into security systems
 Guide the execution of the system when information is passing through it

• Rules policies are more specific to system operation

• May or may not deal with users directly
• Many security systems require specific configurations scripts telling
the systems what actions to perform on each set of information
they process
TECHNICAL SPECIFICATIONS SYSTEM-SPECIFIC
SECURITY POLICIES
• Often organizations create a single document combining elements
of both management guidance and technical specifications system-
specific security policies
• This can be confusing but practical
• Care should be taken to articulate the required actions carefully as the
procedures are presented
GUIDELINES FOR EFFECTIVE POLICY
• For polices to be effective, they must be properly:
• Developed using industry-accepted practices
• Distributed or disseminated using all appropriate methods
• Reviewed or read by all employees
• Understood by all employees
• Formally agreed to by act or assertion
• Uniformly applied and enforced
DEADLINE NOVEMBER 27, 2021 UNTIL 11:59PM
• ACTIVITY
• As a owner of a IT company, create your own policy that has five(5) policy
process in word document
• (1) agenda setting,
• (2) formulation,
• (3) adoption,
• (4) implementation and administration,
• (5) evaluation

• Send to my email chrisamae.turla@cvsu.edu.ph

Ex: