Question

This week's topic, information security policies, is perhaps the most important topic that a Business major can take from this course. This is the governance layer that lays the bedrock for your organization's security posture. Sure, the technical folks are responsible for executing on that policy but this is where the leaders of a business get together, reach agreement, at times do a sanity check on what is enforceable in the organization, and draft the rules that will make sure the organization is secure. This is not an exercise in putting down whatever "sounds" good in order to check the box and claim that your organization has policies. It takes a realistic perspective and evaluation on what is needed, what is possible, and what is enforceable. It is typically better to a have a weak policy that is enforced than to have a strong policy that is ignored. The resources provided include three articles on approaches to drafting and information security policy. Among the steps is to select a framework or set of standards. These could include "best practice" frameworks such as ISO 27001, NIST SP 800 Series, COBIT, ITIL, or similar guidelines. Depending on the industry, this will likely also include "compliance" standards such as PCI-DSS, HIPAA/HITECH, SOX, FISMA, GLBA, or other legal and regulatory obligations. The resources provided include the NIST CyberSecurity Framework as an example of best practice frameworks and the PCI-DSS compliance standards for those who process credit cards. Both of these will include specific elements or policies that should be included in your overall policy set.

I'd like you to pick three things that stood out to you. This could relate to the process of drafting the policies, the contents of the frameworks or standards, the usefulness of the assessment/planning tools, the format/contents/level of detail in the policy templates, etc. Just choose any three things you learned and share your thoughts about them in 300-400 words.

Answer 1

For every organization, its policies are described. Similarly, the need for Information Security policies also plays an important role in the perspective of security. These security majors are the complete source of trust in the company/organization. So, Information Security Policies came in the picture with many standards.

Here in this article, I am mentioning three essential things for template: details about the system, user and system security, performance measuring. There are more things but for the requirement of this article, these are the three that I would like to concern on.

In the first section, complete details about the system or the application that you are creating. These details are to know about system configuration and it's capabilities. The usability measures are described in this section. The template of this should look like:

• System details
• Infrastructure
• Usability instructions
• Details about available services and how to use them

In the second section, as we concern about the security, user and system security are major parts. The system, as well as the user information/data, should be secure. This is for users that why they come to your application and how much their information is secure. So, this is the trust relationship. The detailed template should look like:

• Details about system security (like what standards are the organization is following)
• Some brief about the standards
• Security measures and provided secure services by company
• User security (What work has been done in this case)
• What standards are followed in user security, and
• How much the whole system is secure

The third one is about the performance measures. In the term security, availability is a very important thing, so the performance. So, an organization must follow some standards and assure users about these things:

• Application uptime and downtime
• Availability of the system
• Scheduled time for maintenance
• Overall performance (i.e. time to response and how much time TLS handshaking take)

So, there are some points and template measures I've described. Hope these will meet your requirements.