Question

Where should policy writers look to find supporting material when developing the policies for their organization?

Answer 1

Answer:

The Three types of security policies are:

1: Enterprise informa±on security policies (EISP), this is a document from the executive level that shapesthe philosophy of security in the IT environment. This document guides development, implementationand management of the security program.It sets the requirements and assigns responsibilities to thevarious areas of security, while deFining scope, constraints, purpose and applicability of the program. Italso addresses the legal compliance. This policy usually starts from the CISO and guides the entireEnterprise Security Program

2.Issue-Specific Security Policy (ISSP)

A sound issue-specific security policy provides detailed, targeted guidance to instruct all members of the organization in the use of technology-based systems. The ISSP should begin with an introduction of the fundamental technological philosophy of the organization. It should assure the members of the organization that the purpose of the policy is not to provide a legal foundation for persecution or prosecution, but to provide a common understanding of the purposes for which an employee can and cannot use the technology. Once this understanding is established, employees are free to use the technology without seeking approval for each type of use. This serves to protect both the employee and the organization from inefficiency and ambiguity. According to Whitman et al., (1999) an effective ISSP:
• Articulates the organization’s expectations about how the technology-based system in question should be used
• Documents how the technology-based system is controlled and identifies the processes and authorities that provide this control
• Serves to indemnify the organization against liability for an employee’s inappropriate or illegal system use
An effective ISSP is a binding agreement between parties (the organization and its members) and shows that the organization has made a good faith effort to ensure that its technology is not used in an inappropriate manner. An ISSP may be drafted to cover many topics, including e-mail, use of the Internet and World Wide Web, office computing equipment, and a host of other fair and responsible use areas. The specific situation of any particular organization dictates the exact wording of the security procedures as well as issues not covered within these general guidelines. There are seven major sections of a good ISSP (Whitman, 2003). These are described here in detail.
1. Statement of Purpose - a clear statement of purpose that outlines the scope and applicability of the policy, addressing the purpose of this policy, who is responsible and accountable for policy implementation and what technologies and issues the policy document addresses.
2. Authorize Access and Usage of Equipment - who can use the technology governed by the policy, and for what purposes. This section defines “fair and responsible use” of equipment and other organizational assets, as well as addressing key legal issues,such as protection of personal information and privacy.
3. Prohibited Usage of Equipment - what the issue or technology cannot be used for, that is, personal use, disruptive use or misuse, criminal use, offensive or harassing materials, and infringement of copyrighted, licensed, or other intellectual property. Unless a particular use is clearly prohibited, the organization cannot penalize employees for such usage.
4. Systems Management - the users’ relationships to systems management, including systems maintenance and storage authorization and restriction. The Systems Management section should specify users’ and systems administrators’ responsibilities.
5. Violations of Policy - the penalties and repercussions of violating the usage and systems management policies, as well as instructions on how to report observed or suspected violations, either openly or anonymously.
6. Policy Review and Modification - procedures and a timetable for periodic review. This section should contain a specific methodology for the review and modification of the ISSP, to ensure that users always have guidelines that reflect the organization’s current technologies and needs.
7. Limitations of Liability - a general statement of liability or set of disclaimers. If an individual employee is caught conducting illegal activities with organizational equipment or assets, management does not want the organization held liable. Therefore, if employees violate a company policy or any law using company technologies, the company will not protect them, and is not liable for their actions, assuming that the violation is not known or sanctioned by management.

3.Systems-Specific Policy (SysSP)

While issue-specific policies are formalized as written documents, distributed to users, and agreed to in writing, systems-specific policies (SysSPs) are frequently codified as standards and procedures used when configuring or maintaining systems. One example of a SysSP is a document describing the configuration and operation of a network firewall. This document could include a statement of managerial intent, guidance to network engineers on selecting, configuring, and operating firewalls, and an access control list that defines levels of access for each authorized user. Systems-specific policies can be organized into two general groups, management guidance and technical specifications