CHAPTER 8 IT Security Policy Framework Approaches
by Robert Johnson,
Chuck Easttom
Security Policies and Implementation Issues, 3rd Edition
- Cover
- Title Page
- Copyright Page
- Brief Contents
- Contents
- Dedication
- Preface
- Acknowledgments
- About the Authors
- CHAPTER 1 Information Systems Security Policy Management
- What Is Information Systems Security?
- What Is Information Assurance?
- What Is Governance?
- Why Is Governance Important?
- What Are Information Systems Security Policies?
- Creating Policies
- Where Do Information Systems Security Policies Fit Within an Organization?
- Why Information Systems Security Policies Are Important
- When Do You Need Information Systems Security Policies?
- Why Enforcing and Winning Acceptance for Policies Is Challenging
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 1 ASSESSMENT
- ENDNOTES
- CHAPTER 2 Business Drivers for Information Security Policies
- CHAPTER 3 Compliance Laws and Information Security Policy Requirements
- U.S. Compliance Laws
- Whom Do the Laws Protect?
- Which Laws Require Proper Security Controls to Be Included in Policies?
- Which Laws Require Proper Security Controls for Handling Privacy Data?
- Aligning Security Policies and Controls with Regulations
- Industry Leading Practices and Self-Regulation
- Some Important Industry Standards
- International Laws
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 3 ASSESSMENT
- ENDNOTES
- CHAPTER 4 Business Challenges Within the Seven Domains of IT Responsibility
- CHAPTER 5 Information Security Policy Implementation Issues
- Human Nature in the Workplace
- Organizational Structures
- The Challenge of User Apathy
- The Importance of Executive Management Support
- The Role of Human Resources Policies
- Policy Roles, Responsibilities, and Accountability
- When Policy Fulfillment Is Not Part of Job Descriptions
- Impact on Entrepreneurial Productivity and Efficiency
- Tying Security Policy to Performance and Accountability
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 5 ASSESSMENT
- ENDNOTES
- CHAPTER 6 IT Security Policy Frameworks
- What Is an IT Policy Framework?
- What Is a Program Framework Policy or Charter?
- Business Considerations for the Framework
- Information Assurance Considerations
- Information Systems Security Considerations
- Best Practices for IT Security Policy Framework Creation
- Case Studies in Policy Framework Development
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 6 ASSESSMENT
- ENDNOTES
- CHAPTER 7 How to Design, Organize, Implement, and Maintain IT Security Policies
- Policies and Standards Design Considerations
- Document Organization Considerations
- Considerations for Implementing Policies and Standards
- Maintaining Your Policy and Standards Library
- Best Practices for Policies and Standards Maintenance
- Case Studies and Examples of Designing, Organizing, Implementing, and Maintaining IT Security Policies
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 7 ASSESSMENT
- ENDNOTES
- CHAPTER 8 IT Security Policy Framework Approaches
- IT Security Policy Framework Approaches
- Roles, Responsibilities, and Accountability for Personnel
- Separation of Duties
- Governance and Compliance
- Best Practices for IT Security Policy Framework Approaches
- Case Studies and Examples of IT Security Policy Framework Approaches
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 8 ASSESSMENT
- ENDNOTES
- CHAPTER 9 User Domain Policies
- The Weakest Link in the Information Security Chain
- Seven Types of Users
- Why Govern Users with Policies?
- Acceptable Use Policy (AUP)
- The Privileged-Level Access Agreement (PAA)
- Security Awareness Policy (SAP)
- Best Practices for User Domain Policies
- Understanding Least Access Privileges and Best Fit Access Privileges
- Case Studies and Examples of User Domain Policies
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 9 ASSESSMENT
- CHAPTER 10 IT Infrastructure Security Policies
- Anatomy of an Infrastructure Policy
- Workstation Domain Policies
- Mobile Device Domain Policies
- LAN Domain Policies
- LAN-to-WAN Domain Policies
- WAN Domain Policies
- Remote Access Domain Policies
- System/Application Domain Policies
- Telecommunications Policies
- Best Practices for IT Infrastructure Security Policies
- Cloud Security Policies
- Case Studies and Examples of IT Infrastructure Security Policies
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 10 ASSESSMENT
- CHAPTER 11 Data Classification and Handling Policies and Risk Management Policies
- Data Classification Policies
- Data Handling Policies
- Identifying Business Risks Related to Information Systems
- Risk and Control Self-Assessment
- Risk Assessment Policies
- Quality Assurance Versus Quality Control
- Best Practices for Data Classification and Risk Management Policies
- Case Studies and Examples of Data Classification and Risk Management Policies
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 11 ASSESSMENT
- CHAPTER 12 Incident Response Team (IRT) Policies
- Incident Response Policy
- Incident Classification
- The Response Team Charter
- Incident Response Team Members
- Responsibilities During an Incident
- Business Impact Analysis (BIA) Policies
- Procedures for Incident Response
- Discovering an Incident
- Reporting an Incident
- Containing and Minimizing the Damage
- Cleaning Up After the Incident
- Documenting the Incident and Actions
- Analyzing the Incident and Response
- Creating Mitigation to Prevent Future Incidents
- Handling the Media and Deciding What to Disclose
- Business Continuity Planning Policies
- Dealing with Loss of Systems, Applications, or Data Availability
- Response and Recovery Time Objectives Policies Based on the BIA
- Best Practices for Incident Response Policies
- Disaster Recovery Plan Policies
- Case Studies and Examples of Incident Response Policies
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 12 ASSESSMENT
- CHAPTER 13 IT Security Policy Implementations
- Simplified Implementation Process
- Target State
- Executive Buy-in, Cost, and Impact
- Policy Language
- Employee Awareness and Training
- Information Dissemination—How to Educate Employees
- Policy Implementation Issues
- Governance and Monitoring
- Best Practices for IT Security Policy Implementations
- Case Studies and Examples of IT Security Policy Implementations
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 13 ASSESSMENT
- ENDNOTES
- CHAPTER 14 IT Security Policy Enforcement
- Organizational Support for IT Security Policy Enforcement
- An Organization’s Right to Monitor User Actions and Traffic
- Compliance Law: Requirement or Risk Management?
- What Is Law and What Is Policy?
- What Automated Security Controls Can Be Implemented Through Policy?
- Legal Implications of IT Security Policy Enforcement
- Who Is Ultimately Accountable for Risks, Threats, and Vulnerabilities?
- Best Practices for IT Security Policy Enforcement
- Case Studies and Examples of Successful and Unsuccessful IT Security Policy Enforcement
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 14 ASSESSMENT
- CHAPTER 15 IT Policy Compliance and Compliance Technologies
- Creating a Baseline Definition for Information Systems Security
- Tracking, Monitoring, and Reporting IT Security Baseline Definition and Policy Compliance
- Automating IT Security Policy Compliance
- Compliance Technologies and Solutions
- Best Practices for IT Security Policy Compliance Monitoring
- Case Studies and Examples of Successful IT Security Policy Compliance Monitoring
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 15 ASSESSMENT
- APPENDIX A Answer Key
- APPENDIX B Standard Acronyms
- Glossary of Key Terms
- References
- Index
© obpcnh/Shutterstock
IT Security Policy Framework Approaches |
CHAPTER |
AN INFORMATION TECHNOLOGY (IT) security policy framework supports business objectives and legal obligations. It also promotes an organization’s core values. It defines how an organization identifies, manages, and disposes of risk. A core objective of a security framework is to establish a corporate culture that values security, which creates an organization’s risk culture.
Selecting the right information security framework is important. There are a variety of frameworks in the industry to choose from. A number of these are industry-specific. Others offer a comprehensive view of IT that cuts across all industries. Which one is right for your organization will depend on the organization’s needs, the employees’ experience, and the regulators that have jurisdiction. It must also be noted that nothing prevents you from taking elements from diverse frameworks and combining them for your organization. This is obviously more work than simply applying an existing framework, but in some situations, a hybrid solution may be the appropriate choice.
Regulators will have an interest in how the organization’s leadership manages risk. One way to demonstrate this is to adopt and effectively execute security policy frameworks. Additionally, selecting frameworks that are common within your industry increases the likelihood of success by allowing your organization to share experiences and incorporate learning from across the industry.
You can look at a security framework as a systematic way to identify, mitigate, and reduce risks. The data can be at rest or moving through a process. In this context, risk represents an event that could affect the completion of these processes. For an organization truly to have control over these risks, a strong system of internal security controls must be in place. Everyone in the organization should understand and adhere to its security policies. These security policies and controls must extend beyond the IT department and into the business process.
The framework manages risk at an enterprise level. It helps an organization deal with conflicting priorities, resource constraints, and uncertainty. An effective IT security policy framework also enables management to deliver value to the business.
This chapter reviews various security policy frameworks. It discusses policy strengths and their positioning in the market. Additionally, this chapter examines key elements from the frameworks such as roles, responsibilities, separation of duties, governance, and compliance.
Chapter 8 Topics
This chapter covers the following topics and concepts:
- How to choose an IT security policy framework
- How to set roles, responsibilities, and accountabilities for personnel
- Why separation of duties within an organization is important
- What a structured approach to security policy governance and compliance entails
- What the best practices are for IT security policy framework approaches
- What are some case studies and examples of IT security policy framework approaches
Chapter 8 Goals
When you complete this chapter, you will be able to:
- Compare and contrast multiple frameworks
- Identify the top security policy frameworks
- Understand the type of roles needed to support these frameworks
- Explain the responsibilities of these roles
- Describe how roles create a separation of duties
- Describe how roles create a layered approach to security
- Understand the need for and importance of governance and compliance
- Understand how these frameworks are applied in the real world through case studies
-
No Comment