Week -6

Information Security Policy

Information Security Policy (ISP) is designed to safeguard the confidentiality, integrity, and availability of all physical and electronic assets of the organization to ensure that regulatory, operational and contractual requirements are fulfilled. ISP should outline the overall goals of an organization such as: compliance with laws, regulations, and guidelines; comply requirements of confidentiality, integrity, and availability for organization’s employees and other users; establish necessary control for protecting information and information systems against theft, abuse and other form of harm and loss; motivate employees to maintain the responsibility for, ownership of the knowledge about information security, in order to reduce the risk of security incidents; and etc. (Whitman and Mattord)

The ISP should be address current business strategy and framework for risk management and provide guidelines for identifying assessing evaluating and controlling information related risks through establishing and maintaining the ISP. So, to secure operations at organization even after incidents, and should ensure the availability of continuity plans, backup procedures, defense against damaging code and malicious activities, system and information access control, incident management and reporting.

One of the examples of ISP is Bull’s-eye model. This is a proven mechanism for prioritizing complex changes, and a widely accepted among InfoSec practitioners. This model is focused on systematic solutions where issues are addressed by moving from the general to the specific. (Whitman and Mattord)

It is necessary that policy should directly address how issues should be addressed and technologies should be used, rather than specifying the proper operation of equipment or software. ISP should outline the consequences for unacceptable behaviors.

References:

Michael E. Whitman and Herbert J. Mattord, “ Management of Information

Security”, Published by Cengage Learning, Fourth Edition