Available:*
Library | Item Barcode | Call Number | Material Type | Item Category 1 | Status |
---|---|---|---|---|---|
Searching... | 30000010133988 | QA76.9.A25 P447 2002 | Open Access Book | Book | Searching... |
Searching... | 30000010226045 | QA76.9.A25 P447 2002 | Open Access Book | Book | Searching... |
Searching... | 30000010205939 | QA76.9.A25 P447 2002 | Open Access Book | Book | Searching... |
On Order
Summary
Summary
By definition, information security exists to protect your organization's valuable information resources. But too often information security efforts are viewed as thwarting business objectives. An effective information security program preserves your information assets and helps you meet business objectives. Information Security Policies, Procedures, and Standards: Guidelines for Effective Information Security Management provides the tools you need to select, develop, and apply a security program that will be seen not as a nuisance but as a means to meeting your organization's goals.
Divided into three major sections, the book covers: writing policies, writing procedures, and writing standards. Each section begins with a definition of terminology and concepts and a presentation of document structures. You can apply each section separately as needed, or you can use the entire text as a whole to form a comprehensive set of documents. The book contains checklists, sample policies, procedures, standards, guidelines, and a synopsis of British Standard 7799 and ISO 17799.
Peltier provides you with the tools you need to develop policies, procedures, and standards. He demonstrates the importance of a clear, concise, and well-written security program. His examination of recommended industry best practices illustrates how they can be customized to fit any organization's needs. Information Security Policies, Procedures, and Standards: Guidelines for Effective Information Security Management helps you create and implement information security procedures that will improve every aspect of your enterprise's activities.
Table of Contents
Acknowledgments | p. xi |
Introduction | p. xiii |
1 Overview: Information Protection Fundamentals | p. 1 |
1.1 Elements of Information Protection | p. 1 |
1.2 More Than Just Computer Security | p. 3 |
1.3 Roles and Responsibilities | p. 4 |
1.4 Common Threats | p. 8 |
1.5 Policies and Procedures | p. 9 |
1.6 Risk Management | p. 9 |
1.7 Typical Information Protection Program | p. 11 |
1.8 Summary | p. 11 |
2 Writing Mechanics and the Message | p. 13 |
2.1 Attention Spans | p. 13 |
2.2 Key Concepts | p. 15 |
2.3 Topic Sentence and Thesis Statement | p. 16 |
2.4 The Message | p. 17 |
2.5 Writing Don't's | p. 18 |
2.6 Summary | p. 18 |
3 Policy Development | p. 21 |
3.1 Policy Definitions | p. 21 |
3.2 Frequently Asked Questions | p. 22 |
3.3 Policies Are Not Enough: A Preliminary Look at Standards, Guidelines, and Procedures | p. 25 |
3.4 Policy, Standards, Guidelines, and Procedures: Definitions and Examples | p. 26 |
3.5 Policy Key Elements | p. 27 |
3.6 Policy Format and Basic Policy Components | p. 28 |
3.7 Policy Content Considerations | p. 31 |
3.8 Program Policy Examples | p. 32 |
3.9 Topic-Specific Policy Examples | p. 38 |
3.10 Additional Hints | p. 44 |
3.11 Topic-Specific Policy Subjects to Consider | p. 45 |
3.12 An Approach for Success | p. 46 |
3.13 Additional Examples | p. 47 |
3.14 Summary | p. 50 |
4 Mission Statement | p. 53 |
4.1 Background on Your Position | p. 53 |
4.2 Business Goals versus Security Goals | p. 54 |
4.3 Computer Security Objectives | p. 55 |
4.4 Mission Statement Format | p. 56 |
4.5 Allocation of Information Security Responsibilities (ISO 17799-4.1.3) | p. 56 |
4.6 Mission Statement Examples | p. 57 |
4.7 Support for the Mission Statement | p. 63 |
4.8 Key Roles in Organizations | p. 64 |
4.9 Business Objectives | p. 65 |
4.10 Review | p. 66 |
5 Standards | p. 69 |
5.1 Where Does a Standard Go? | p. 70 |
5.2 What Is a Standard? | p. 70 |
5.3 International Standards | p. 71 |
5.4 Summary | p. 76 |
6 Writing Procedures | p. 83 |
6.1 Definitions | p. 83 |
6.2 Writing Commandments | p. 84 |
6.3 Key Elements in Procedure Writing | p. 86 |
6.4 Procedure Checklist | p. 86 |
6.5 Getting Started | p. 87 |
6.6 Procedure Styles | p. 88 |
6.7 Creating a Procedure | p. 105 |
6.8 Summary | p. 105 |
7 Information Classification | p. 107 |
7.1 Introduction | p. 107 |
7.2 Why Classify Information | p. 107 |
7.3 What Is Information Classification? | p. 108 |
7.4 Establish a Team | p. 109 |
7.5 Developing the Policy | p. 110 |
7.6 Resist the Urge to Add Categories | p. 110 |
7.7 What Constitutes Confidential Information | p. 111 |
7.8 Classification Examples | p. 113 |
7.9 Declassification or Reclassification of Information | p. 118 |
7.10 Information Classification Methodology | p. 118 |
7.11 Authorization for Access | p. 147 |
7.12 Summary | p. 148 |
8 Security Awareness Program | p. 149 |
8.1 Key Goals of an Information Security Program | p. 149 |
8.2 Key Elements of a Security Program | p. 150 |
8.3 Security Awareness Program Goals | p. 151 |
8.4 Identify Current Training Needs | p. 153 |
8.5 Security Awareness Program Development | p. 154 |
8.6 Methods Used to Convey the Awareness Message | p. 155 |
8.7 Presentation Key Elements | p. 157 |
8.8 Typical Presentation Format | p. 157 |
8.9 When to Do Awareness | p. 158 |
8.10 The Information Security Message | p. 158 |
8.11 Information Security Self-Assessment | p. 158 |
8.12 Conclusion | p. 159 |
9 Why Manage This Process as a Project? | p. 161 |
9.1 First Things First--Identify the Sponsor | p. 161 |
9.2 Defining the Scope of Work | p. 163 |
9.3 Time Management | p. 164 |
9.4 Cost Management | p. 170 |
9.5 Planning for Quality | p. 170 |
9.6 Managing Human Resources | p. 171 |
9.7 Creating a Communications Plan | p. 171 |
9.8 Summary | p. 173 |
10 Information Technology: Code of Practice for Information Security Management | p. 175 |
10.1 Scope | p. 175 |
10.2 Terms and Definitions | p. 175 |
10.3 Information Security Policy | p. 176 |
10.4 Organization Security | p. 177 |
10.5 Asset Classification and Control | p. 178 |
10.6 Personnel Security | p. 179 |
10.7 Physical and Environmental Security | p. 180 |
10.8 Communications and Operations Management | p. 181 |
10.9 Access Control Policy | p. 182 |
10.10 Systems Development and Maintenance | p. 183 |
10.11 Business Continuity Planning | p. 183 |
10.12 Compliance | p. 184 |
11 Review | p. 187 |
Appendices | |
Appendix A Policy Baseline Checklist | p. 195 |
Policy Baseline | p. 195 |
Appendix B Sample Corporate Policies | p. 205 |
Conflict of Interest | p. 205 |
Employee Standards of Conduct | p. 208 |
External Corporate Communications | p. 211 |
Information Protection | p. 213 |
General Security | p. 214 |
Appendix C List of Acronyms | p. 215 |
Appendix D Sample Security Policies | p. 225 |
Network Security Policy | p. 225 |
Business Continuity Planning | p. 230 |
Dial-In Access | p. 231 |
Access Control | p. 233 |
Communications Security Policy | p. 234 |
Software Development Policy | p. 236 |
System and Network Security Policy | p. 237 |
Electronic Communication Policy | p. 238 |
Sign-On Banner | p. 242 |
Standards of Conduct for Electronic Communications | p. 243 |
E-Mail Access Policy | p. 244 |
Internet E-Mail | p. 246 |
Software Usage | p. 249 |
Appendix E Job Descriptions | p. 255 |
Chief Information Officer (CIO) | p. 255 |
Information Security Manager | p. 257 |
Security Administrator | p. 258 |
Firewall Administrator, Information Security | p. 260 |
Appendix F Security Assessment | p. 261 |
I. Security Policy | p. 261 |
II. Organizational Suitability | p. 264 |
III. Physical Security | p. 269 |
IV. Business Impact Analysis, Continuity Planning Processes | p. 273 |
V. Technical Safeguards | p. 278 |
VI. Telecommunications Security | p. 281 |
Appendix G References | p. 285 |
About the Author | p. 287 |
Index | p. 289 |