What is information security policy? Why is it critical to the success of the information security program?
Information security policy explains the will of the organization’s management in controlling the behavior of its employees. The policy outlines what needs to be done in order to safeguard information in a company. Without a document that explains this in detail then employees would not know what direction or even action to take to protect the information in the company.
For a policy to have any effect, what must happen after it is approved by management? What are some ways this can be accomplished?
a. Policies must be implemented and enforced down the chain of command. b. All policies must contribute to the success of the organization. Management must ensure the adequate sharing of responsibility for proper use of information systems. End users of information systems should be involved in the steps of policy formulation
List and describe the three types of information security policy as described by NIST SP 800-14
The first type of information security policy described by NIST SP 800-14 is enterprise information security program (EISP). EISP is used to determine the scope, tone and strategic direction for a company and all the security oriented topics within. This policy should directly reflect the goals and mission of the company. The second is issue-specific information security (ISSP). The ISSP is used to guide employees on the use of specific types of technology (such as email or internet use). This should be careful designed to uphold the companies’ ethical codes, while providing the employees with a detailed list to ensure they understand the policy and how it is beneficial to the company. The final one is system-specific information security (SYSSP). The SYSSP should be designed and created focus on a specific type of system (such as firewalls). It should provide a guideline for the implementation and standards by which these systems are configured and maintained.
List and describe the three approaches to policy development presented in the text. In your opinion, which is better suited for use by a smaller organization, and why? If the target organization were very much larger, which approach would be superior and why?
Three approaches to policy are the enterprise information security policy, issue-specific security policy, and the system-specific policy. The EISP is broad-based, encompassing and defining large areas of responsibility and implementation. The ISSP is tailored toward the organization’s intent on how a certain technology-based system is to be used. The system-specific policy is written more as a standard and procedure to be used in the configuration of a system. A large organization would need a policy written along the lines of an EISP in order to cover all of the various systems and information security needs. For instance, Lockheed has a very detailed policy to protect confidential information. This is required by its customer, the federal government. A small or smaller company, say a restaurant, might only need a system to help track its daily sales, inventory, and labor records. All of that may be confidential, but it can easily be handled by a policy like an SysSP.
Are you looking for a similar paper or any other quality academic essay? Then look no further. Our research paper writing service is what you require. Our team of experienced writers is on standby to deliver to you an original paper as per your specified instructions with zero plagiarism guaranteed. This is the perfect way you can prepare your own unique academic paper and score the grades you deserve.
Use the order calculator below and get started! Contact our live support team for any assistance or inquiry.