Topic 3 Flashcards
Cyber security
What is information security policy? Why is it critical to the success of the InfoSec program?
Information security policy defines the direction, scope, and tone for all of an organization’s security efforts. It includes both strategic elements for the enterprise as well as encompassing specific control strategies where appropriate. It is important because it helps employees view what an organization wants, where it wants to go, and for what reason.
Explain the three types of InfoSec policy as described by NIST SP 800-14.
- The first type of information security policy described by NIST SP 800-14 is the enterprise information security policy (EISP). The EISP is used to determine the scope, tone, and strategic direction for a company and all the security topics within. This policy should directly reflect the goals and mission of the company.
- The second is the issue-specific security policy (ISSP). The ISSP is used to guide employees on the use of specific types of technology (such as e-mail or Internet use). This policy should be carefully designed to uphold a company’s ethical codes, while providing the employees with a detailed list to ensure they understand the policy and how it is beneficial to the company.
- The final policy is the system-specific security policy (SysSP). The SysSP should be designed and created to focus on a specific type of system (such as firewalls). It should provide a guideline for the implementation and standards by which these systems are configured and maintained.
What is the purpose of an EISP?
An enterprise information security policy (EISP) is designed to outline the strategic direction and scope for all of an organization’s security efforts as well as assigning responsibilities for the various areas of information security. It also guides the development, implementation, and management requirements of the information security program.
What is the purpose of an ISSP?
An issue-specific security policy (ISSP) is designed to provide detailed and targeted guidelines and expectations about how the technology-based system in question should be used.
What is the purpose of a SysSP?
A system-specific security policy (SysSP) is designed to specify and detail standards or procedures to be used when configuring or maintaining systems.
To what degree should the organization’s values, mission, and objectives be integrated into the policy documents?
Organizational values, mission, and objectives should be a central part of any policy document. The goal of any security policy should be to support the overall values and objectives of an organization and should be implemented to address the behavior of people in the organization in ways that support the security of information.
List and explain four elements that should be present in the EISP.
The four elements that should be present in the EISP are:
* An overview of the corporate philosophy on security
* Information on the structure of the information security organization and individuals that fulfill the information security role
* Fully articulated responsibilities for security that are shared by all members of the organization
* Fully articulated responsibilities for security that are unique to each role within the organization
Describe three functions that the ISSP serves in an organization.
It explains how the organization expects the technology in question is to be used; it documents how the technology is controlled, identifies the process, and identifies who has the authority to provide that control; and it protects the organization against misuse of the technology.
What should be the first component of an ISSP when it is presented? Why? What should be the second major component? Why?
The ISSP should begin with a statement of purpose that outlines its objectives, who is responsible for the policy outlined, and what technology it is addressing. For a policy to be effective, it has to have an overall framework before the detailed steps can be outlined. The second major heading should address who is allowed to have access to the technology. Security levels are based on the level of risk if the information is compromised; therefore, it is critical to determine who needs access to certain information or systems.
Explain three common ways in which ISSP documents are created and/or managed.
Policies can be created to manage a specific issue, such as Internet use at work. Policies can be created with the intent of covering all issues, giving the policy broad and wider range for implementation and enforcement. Policies can be written with a modular approach, which gives them a detailed topic focus to address issues within a responsible department while also allowing centrally managed procedures and topic coverage.
Describe the two general groups of material included in most SysSP documents.
The two types of materials included in the system-specific policy are:
* Management guidance for the implementation and configuration of technology and addressing the behavior of the users to ensure the security of the information.
* The technical specification, whose purpose is to create a managerial policy to translate the managerial intent for the technical control into an enforceable technical approach.
List and describe the three approaches to policy development discussed in this Topic. In your opinion, which is best suited for use by a smaller organization and why? If the target organization were very much larger, which approach would be more suitable and why?
Three approaches to policy are the enterprise information security policy (EISP), issue-specific security policy (ISSP), and the system-specific security policy (SysSP). The EISP is broad-based, encompassing and defining large areas of responsibility and implementation. The ISSP is tailored toward the organization’s intent for how a certain technology-based system is to be used. The SysSP is written more as a standard and procedure to be used in the configuration of a system. A large organization would need a policy written along the lines of an EISP in order to cover all of the various systems and information security needs. For instance, a government contractor might have a very detailed policy to protect confidential information when it is required by the customer, the federal government. A smaller company, say a restaurant, might only need a system to help track its daily sales, inventory, and labor records. All of these records may be confidential, but could easily be handled by a policy like the SysSP.
