Table of Contents
Chapter 1: Understanding Policy
Looking at Policy Through the Ages
The United States Constitution as a Policy Revolution
Successful Policy Characteristics
Information Security Policy Lifecycle
Regulations and Directives Cited
Chapter 2: Policy Elements and Style
Plain Language Techniques for Policy Writing
Regulations and Directives Cited
Chapter 3: Information Security Framework
Information Security Framework
Can the ISO Standards and NIST Publications Be Used to Build a Framework?
Chapter 4: Governance and Risk Management
Understanding Information Security Policies
What Is Meant by Strategic Alignment?
User Versions of Information Security Policies
Vendor Versions of Information Security Policies
Client Synopsis of Information Security Policies
Who Authorizes Information Security Policy?
Revising Information Security Policies: Change Drivers
Evaluating Information Security Polices
Information Security Governance
What Is a Distributed Governance Model?
Information Assets and Systems
Who Is Responsible for Information Assets?
How Does the Federal Government Classify Data?
Why Is National Security Information Classified Differently?
Who Decides How National Security Data Is Classified?
How Does the Private Sector Classify Data?
Can Information Be Reclassified or Even Declassified?
Labeling and Handling Standards
Chapter 6: Human Resources Security
What Does Recruitment Have to Do with Security?
What Happens in the Onboarding Phase?
What Should an Employee Learn During Orientation?
Why Is Termination Considered the Most Dangerous Phase?
The Importance of Employee Agreements
What Are Confidentiality or Non-disclosure Agreements?
What Is an Acceptable Use Agreement?
The Importance of Security Education and Training
Chapter 7: Physical and Environmental Security
Understanding the Secure Facility Layered Defense Model
How Is Physical Access Controlled?
Chapter 8: Communications and Operations Security
Standard Operating Procedures (SOPs)
Why Is Patching Handled Differently?
Are There Different Types of Malware?
Is There a Recommended Backup or Replication Strategy?
What Makes Email a Security Risk?
Activity Monitoring and Log Analysis
What Should Be Included in Service Provider Contracts?
Chapter 9: Access Control Management
Infrastructure Access Controls
What Is Layered Border Security?
What Types of Access Should Be Monitored?
Chapter 10: Information Systems Acquisition, Development, and Maintenance
Chapter 11: Information Security Incident Management
Organizational Incident Response
What Is an Incident Response Program?
What Happened? Investigation and Evidence Handling
Data Breach Notification Requirements
Is There a Federal Breach Notification Law?
Chapter 12: Business Continuity Management
What Is a Resilient Organization?
Business Continuity Risk Management
What Is a Business Continuity Threat Assessment?
What Is a Business Continuity Risk Assessment?
What Is a Business Impact Assessment?
Chapter 13: Regulatory Compliance for Financial Institutions
The Gramm-Leach-Bliley Act (GLBA)
What Is a Financial Institution?
What Are the Interagency Guidelines?
What Is a Regulatory Examination?
Personal and Corporate Identity Theft
What Is Required by the Interagency Guidelines Supplement A?
Chapter 14: Regulatory Compliance for the Healthcare Sector
What Is the Objective of the HIPAA Security Rule?
How Is the HIPAA Security Rule Organized?
What Are the Physical Safeguards?
What Are the Technical Safeguards?
What Are the Organizational Requirements?
What Are the Policies and Procedures Standards?
The HITECH Act and the Omnibus Rule
What Changed for Business Associates?
What Are the Breach Notification Requirements?
Chapter 15: PCI Compliance for Merchants
What Is the PCI DDS Framework?
What Are the PCI Requirements?
Who Is Required to Comply with PCI DSS?
What Is a Data Security Compliance Assessment?
Are There Penalties for Noncompliance?
Appendix A: Information Security Program Resources
National Institute of Standards and Technology (NIST) Special Publications
Federal Financial Institutions Examination Council (FFIEC) IT Handbooks
Department of Health and Human Services HIPAA Security Series
Payment Security Standards Council Documents Library
Information Security Professional Development and Certification Organizations
Appendix B: Sample Information Security Policy
Section 1: Governance and Risk Management
Goals and Objectives for Section 1: Governance and Risk Management
Governance and Risk Management Policy Index
1.0 Governance and Risk Management Policy
Supporting Resources and Source Material
Goals and Objectives for Section 2: Asset Management
Supporting Resources and Source Material
Section 3: Human Resources Security
Goals and Objectives for Section 3: Human Resources Security
Human Resources Security Policy Index
3.0 Human Resources Security Policy
Supporting Resources and Source Material
Section 4: Physical and Environmental Security
Goals and Objectives for Section 4: Physical and Environmental Security
Physical and Environmental Security Policy Index
4.0 Physical and Environmental Security Policy
Supporting Resources and Source Material
Section 5: Communications and Operations Security
Goals and Objectives for Section 5: Communications and Operations Security
Communications and Operations Policy Index
5.0 Communications and Operations Policy
Supporting Resources and Source Material
Section 6: Access Control Management
Goals and Objectives for Section 6: Access Control Management
Infrastructure Access Control Policy Index
Supporting Resources and Source Material
Section 7: Information Systems Acquisition, Development, and Maintenance
Goals and Objectives for Section 7: Information Systems Acquisition, Development, and Maintenance
Information Systems Acquisition, Development, and Maintenance Policy Index
7.0 Information Systems Acquisition, Development, and Maintenance Policy
Supporting Resources and Source Material
Section 8: Incident Management
Goals and Objectives for Section 8: Incident Management
Incident Management Policy Index
8.0 Incident Management Policy
Supporting Resources and Source Material
Section 9: Business Continuity
Goals and Objectives for Section 9: Business Continuity
Business Continuity Policy Index
9.0 Business Continuity Policy
Supporting Resources and Source Material
Appendix C: Information Systems Acceptable Use Agreement and Policy
Information Systems Acceptable Use Agreement
Information Systems Acceptable Use Agreement
Acceptable Use of Information Systems Policy
2.0 Authentication and Password Controls
4.0 Messaging Use and Security