CHAPTER 13 IT Security Policy Implementations
by Robert Johnson,
Chuck Easttom
Security Policies and Implementation Issues, 3rd Edition
- Cover
- Title Page
- Copyright Page
- Brief Contents
- Contents
- Dedication
- Preface
- Acknowledgments
- About the Authors
- CHAPTER 1 Information Systems Security Policy Management
- What Is Information Systems Security?
- What Is Information Assurance?
- What Is Governance?
- Why Is Governance Important?
- What Are Information Systems Security Policies?
- Creating Policies
- Where Do Information Systems Security Policies Fit Within an Organization?
- Why Information Systems Security Policies Are Important
- When Do You Need Information Systems Security Policies?
- Why Enforcing and Winning Acceptance for Policies Is Challenging
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 1 ASSESSMENT
- ENDNOTES
- CHAPTER 2 Business Drivers for Information Security Policies
- CHAPTER 3 Compliance Laws and Information Security Policy Requirements
- U.S. Compliance Laws
- Whom Do the Laws Protect?
- Which Laws Require Proper Security Controls to Be Included in Policies?
- Which Laws Require Proper Security Controls for Handling Privacy Data?
- Aligning Security Policies and Controls with Regulations
- Industry Leading Practices and Self-Regulation
- Some Important Industry Standards
- International Laws
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 3 ASSESSMENT
- ENDNOTES
- CHAPTER 4 Business Challenges Within the Seven Domains of IT Responsibility
- CHAPTER 5 Information Security Policy Implementation Issues
- Human Nature in the Workplace
- Organizational Structures
- The Challenge of User Apathy
- The Importance of Executive Management Support
- The Role of Human Resources Policies
- Policy Roles, Responsibilities, and Accountability
- When Policy Fulfillment Is Not Part of Job Descriptions
- Impact on Entrepreneurial Productivity and Efficiency
- Tying Security Policy to Performance and Accountability
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 5 ASSESSMENT
- ENDNOTES
- CHAPTER 6 IT Security Policy Frameworks
- What Is an IT Policy Framework?
- What Is a Program Framework Policy or Charter?
- Business Considerations for the Framework
- Information Assurance Considerations
- Information Systems Security Considerations
- Best Practices for IT Security Policy Framework Creation
- Case Studies in Policy Framework Development
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 6 ASSESSMENT
- ENDNOTES
- CHAPTER 7 How to Design, Organize, Implement, and Maintain IT Security Policies
- Policies and Standards Design Considerations
- Document Organization Considerations
- Considerations for Implementing Policies and Standards
- Maintaining Your Policy and Standards Library
- Best Practices for Policies and Standards Maintenance
- Case Studies and Examples of Designing, Organizing, Implementing, and Maintaining IT Security Policies
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 7 ASSESSMENT
- ENDNOTES
- CHAPTER 8 IT Security Policy Framework Approaches
- IT Security Policy Framework Approaches
- Roles, Responsibilities, and Accountability for Personnel
- Separation of Duties
- Governance and Compliance
- Best Practices for IT Security Policy Framework Approaches
- Case Studies and Examples of IT Security Policy Framework Approaches
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 8 ASSESSMENT
- ENDNOTES
- CHAPTER 9 User Domain Policies
- The Weakest Link in the Information Security Chain
- Seven Types of Users
- Why Govern Users with Policies?
- Acceptable Use Policy (AUP)
- The Privileged-Level Access Agreement (PAA)
- Security Awareness Policy (SAP)
- Best Practices for User Domain Policies
- Understanding Least Access Privileges and Best Fit Access Privileges
- Case Studies and Examples of User Domain Policies
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 9 ASSESSMENT
- CHAPTER 10 IT Infrastructure Security Policies
- Anatomy of an Infrastructure Policy
- Workstation Domain Policies
- Mobile Device Domain Policies
- LAN Domain Policies
- LAN-to-WAN Domain Policies
- WAN Domain Policies
- Remote Access Domain Policies
- System/Application Domain Policies
- Telecommunications Policies
- Best Practices for IT Infrastructure Security Policies
- Cloud Security Policies
- Case Studies and Examples of IT Infrastructure Security Policies
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 10 ASSESSMENT
- CHAPTER 11 Data Classification and Handling Policies and Risk Management Policies
- Data Classification Policies
- Data Handling Policies
- Identifying Business Risks Related to Information Systems
- Risk and Control Self-Assessment
- Risk Assessment Policies
- Quality Assurance Versus Quality Control
- Best Practices for Data Classification and Risk Management Policies
- Case Studies and Examples of Data Classification and Risk Management Policies
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 11 ASSESSMENT
- CHAPTER 12 Incident Response Team (IRT) Policies
- Incident Response Policy
- Incident Classification
- The Response Team Charter
- Incident Response Team Members
- Responsibilities During an Incident
- Business Impact Analysis (BIA) Policies
- Procedures for Incident Response
- Discovering an Incident
- Reporting an Incident
- Containing and Minimizing the Damage
- Cleaning Up After the Incident
- Documenting the Incident and Actions
- Analyzing the Incident and Response
- Creating Mitigation to Prevent Future Incidents
- Handling the Media and Deciding What to Disclose
- Business Continuity Planning Policies
- Dealing with Loss of Systems, Applications, or Data Availability
- Response and Recovery Time Objectives Policies Based on the BIA
- Best Practices for Incident Response Policies
- Disaster Recovery Plan Policies
- Case Studies and Examples of Incident Response Policies
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 12 ASSESSMENT
- CHAPTER 13 IT Security Policy Implementations
- Simplified Implementation Process
- Target State
- Executive Buy-in, Cost, and Impact
- Policy Language
- Employee Awareness and Training
- Information Dissemination—How to Educate Employees
- Policy Implementation Issues
- Governance and Monitoring
- Best Practices for IT Security Policy Implementations
- Case Studies and Examples of IT Security Policy Implementations
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 13 ASSESSMENT
- ENDNOTES
- CHAPTER 14 IT Security Policy Enforcement
- Organizational Support for IT Security Policy Enforcement
- An Organization’s Right to Monitor User Actions and Traffic
- Compliance Law: Requirement or Risk Management?
- What Is Law and What Is Policy?
- What Automated Security Controls Can Be Implemented Through Policy?
- Legal Implications of IT Security Policy Enforcement
- Who Is Ultimately Accountable for Risks, Threats, and Vulnerabilities?
- Best Practices for IT Security Policy Enforcement
- Case Studies and Examples of Successful and Unsuccessful IT Security Policy Enforcement
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 14 ASSESSMENT
- CHAPTER 15 IT Policy Compliance and Compliance Technologies
- Creating a Baseline Definition for Information Systems Security
- Tracking, Monitoring, and Reporting IT Security Baseline Definition and Policy Compliance
- Automating IT Security Policy Compliance
- Compliance Technologies and Solutions
- Best Practices for IT Security Policy Compliance Monitoring
- Case Studies and Examples of Successful IT Security Policy Compliance Monitoring
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 15 ASSESSMENT
- APPENDIX A Answer Key
- APPENDIX B Standard Acronyms
- Glossary of Key Terms
- References
- Index
© obpcnh/Shutterstock
IT Security Policy Implementations |
CHAPTER |
INFORMATION SECURITY POLICIES are the foundation upon which you build good security habits. IT security policies define what business and technology risks will be controlled and how they will be controlled. Users can turn to policies for guidance in their daily work. Policies are a useful tool for creating a risk culture that protects information. Policies are also part of the artifacts that are examined in any audit. The adoption and effective implementation of these policies are evidence to regulators, customers, and shareholders that due care is being taken to protect the company and its customers’ personal information. The stakes are high. Well-implemented security policies build brand confidence and help an organization achieve its goals. Poorly implemented security policies lead to breaches, fines, and damage to brand value, and they undermine confidence in the organization.
Everyone must follow the policies if they are to be effective. A security policy implementation needs user acceptance to be successful. Absent user acceptance, the policies may not be implemented consistently. They may sometimes be seen as optional. You can gain user acceptance, in part, by effectively communicating policies that are also easy to understand. A security awareness program, in addition to other methods, helps users understand policies and why they’re important. The implementation of security policies also requires management support. Thorough planning allows you to overcome challenges and gain that support.
This chapter examines a simple process approach to implementing IT security policies. It walks you through this high-level process and explores the major issues encountered while implementing security policies. You will read how to overcome challenges and the importance of a communication plan. The chapter also examines best practices for implementing security policies. Finally, the chapter presents case studies that reinforce important topics and concepts.
Chapter 13 Topics
This chapter covers the following topics and concepts:
- What a simplified implementation process looks like
- What is meant by “target state”
- How to win executive support, and why it matters
- What good policy language is
- What’s involved in employee awareness and training
- How to educate employees through proper dissemination of information
- What policy implementation issues you should anticipate
- What the roles of governance and monitoring in security policy implementation are
- Which best practices to follow when implementing IT security policies
- What some case studies and examples of successful IT security policy implementations are
Chapter 13 Goals
When you complete this chapter, you will be able to:
- Describe a simple implementation process
- Explain key process steps and related concerns
- Identify key organizational and cultural issues in implementing policies
- Describe why executive support is so important
- Define what a communications plan is
- Explain the importance of a communications plan
- Explain the difference between awareness of and training in security policies
- Describe examples of policy training
- Describe what a brown bag session is and what its benefits are
- Explain techniques for overcoming objections
- Describe different ways to disseminate policy material
- Explain the technical and nontechnical barriers to implementing IT security policies
- Understand best practices to follow when implementing IT security policies
- Use case studies of successful IT security policy implementations as examples for your organization
-
No Comment
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.