Information security policies, procedures, and standards : guidelines for effective information security management

Select an Action

Place Hold(s)
Add to My Lists
Email
Print

Title:

Personal Author:

Peltier, Thomas R.

Publication Information:

Boca Raton, FL : Auerbach Publications, 2002

ISBN:

9780849311376

Subject Term:

Computer security

Data protection

Available:*

Library	Item Barcode	Call Number	Material Type	Item Category 1	Status
Searching... PSZ JB	30000010133988	QA76.9.A25 P447 2002	Open Access Book	Book	Searching... Unknown
Searching... PSZ JB	30000010226045	QA76.9.A25 P447 2002	Open Access Book	Book	Searching... Unknown
Searching... PSZ KL	30000010205939	QA76.9.A25 P447 2002	Open Access Book	Book	Searching... Unknown

By definition, information security exists to protect your organization's valuable information resources. But too often information security efforts are viewed as thwarting business objectives. An effective information security program preserves your information assets and helps you meet business objectives. Information Security Policies, Procedures, and Standards: Guidelines for Effective Information Security Management provides the tools you need to select, develop, and apply a security program that will be seen not as a nuisance but as a means to meeting your organization's goals.

Divided into three major sections, the book covers: writing policies, writing procedures, and writing standards. Each section begins with a definition of terminology and concepts and a presentation of document structures. You can apply each section separately as needed, or you can use the entire text as a whole to form a comprehensive set of documents. The book contains checklists, sample policies, procedures, standards, guidelines, and a synopsis of British Standard 7799 and ISO 17799.

Peltier provides you with the tools you need to develop policies, procedures, and standards. He demonstrates the importance of a clear, concise, and well-written security program. His examination of recommended industry best practices illustrates how they can be customized to fit any organization's needs. Information Security Policies, Procedures, and Standards: Guidelines for Effective Information Security Management helps you create and implement information security procedures that will improve every aspect of your enterprise's activities.

Acknowledgments	p. xi
Introduction	p. xiii
1 Overview: Information Protection Fundamentals	p. 1
1.1 Elements of Information Protection	p. 1
1.2 More Than Just Computer Security	p. 3
1.3 Roles and Responsibilities	p. 4
1.4 Common Threats	p. 8
1.5 Policies and Procedures	p. 9
1.6 Risk Management	p. 9
1.7 Typical Information Protection Program	p. 11
1.8 Summary	p. 11
2 Writing Mechanics and the Message	p. 13
2.1 Attention Spans	p. 13
2.2 Key Concepts	p. 15
2.3 Topic Sentence and Thesis Statement	p. 16
2.4 The Message	p. 17
2.5 Writing Don't's	p. 18
2.6 Summary	p. 18
3 Policy Development	p. 21
3.1 Policy Definitions	p. 21
3.2 Frequently Asked Questions	p. 22
3.3 Policies Are Not Enough: A Preliminary Look at Standards, Guidelines, and Procedures	p. 25
3.4 Policy, Standards, Guidelines, and Procedures: Definitions and Examples	p. 26
3.5 Policy Key Elements	p. 27
3.6 Policy Format and Basic Policy Components	p. 28
3.7 Policy Content Considerations	p. 31
3.8 Program Policy Examples	p. 32
3.9 Topic-Specific Policy Examples	p. 38
3.10 Additional Hints	p. 44
3.11 Topic-Specific Policy Subjects to Consider	p. 45
3.12 An Approach for Success	p. 46
3.13 Additional Examples	p. 47
3.14 Summary	p. 50
4 Mission Statement	p. 53
4.1 Background on Your Position	p. 53
4.2 Business Goals versus Security Goals	p. 54
4.3 Computer Security Objectives	p. 55
4.4 Mission Statement Format	p. 56
4.5 Allocation of Information Security Responsibilities (ISO 17799-4.1.3)	p. 56
4.6 Mission Statement Examples	p. 57
4.7 Support for the Mission Statement	p. 63
4.8 Key Roles in Organizations	p. 64
4.9 Business Objectives	p. 65
4.10 Review	p. 66
5 Standards	p. 69
5.1 Where Does a Standard Go?	p. 70
5.2 What Is a Standard?	p. 70
5.3 International Standards	p. 71
5.4 Summary	p. 76
6 Writing Procedures	p. 83
6.1 Definitions	p. 83
6.2 Writing Commandments	p. 84
6.3 Key Elements in Procedure Writing	p. 86
6.4 Procedure Checklist	p. 86
6.5 Getting Started	p. 87
6.6 Procedure Styles	p. 88
6.7 Creating a Procedure	p. 105
6.8 Summary	p. 105
7 Information Classification	p. 107
7.1 Introduction	p. 107
7.2 Why Classify Information	p. 107
7.3 What Is Information Classification?	p. 108
7.4 Establish a Team	p. 109
7.5 Developing the Policy	p. 110
7.6 Resist the Urge to Add Categories	p. 110
7.7 What Constitutes Confidential Information	p. 111
7.8 Classification Examples	p. 113
7.9 Declassification or Reclassification of Information	p. 118
7.10 Information Classification Methodology	p. 118
7.11 Authorization for Access	p. 147
7.12 Summary	p. 148
8 Security Awareness Program	p. 149
8.1 Key Goals of an Information Security Program	p. 149
8.2 Key Elements of a Security Program	p. 150
8.3 Security Awareness Program Goals	p. 151
8.4 Identify Current Training Needs	p. 153
8.5 Security Awareness Program Development	p. 154
8.6 Methods Used to Convey the Awareness Message	p. 155
8.7 Presentation Key Elements	p. 157
8.8 Typical Presentation Format	p. 157
8.9 When to Do Awareness	p. 158
8.10 The Information Security Message	p. 158
8.11 Information Security Self-Assessment	p. 158
8.12 Conclusion	p. 159
9 Why Manage This Process as a Project?	p. 161
9.1 First Things First--Identify the Sponsor	p. 161
9.2 Defining the Scope of Work	p. 163
9.3 Time Management	p. 164
9.4 Cost Management	p. 170
9.5 Planning for Quality	p. 170
9.6 Managing Human Resources	p. 171
9.7 Creating a Communications Plan	p. 171
9.8 Summary	p. 173
10 Information Technology: Code of Practice for Information Security Management	p. 175
10.1 Scope	p. 175
10.2 Terms and Definitions	p. 175
10.3 Information Security Policy	p. 176
10.4 Organization Security	p. 177
10.5 Asset Classification and Control	p. 178
10.6 Personnel Security	p. 179
10.7 Physical and Environmental Security	p. 180
10.8 Communications and Operations Management	p. 181
10.9 Access Control Policy	p. 182
10.10 Systems Development and Maintenance	p. 183
10.11 Business Continuity Planning	p. 183
10.12 Compliance	p. 184
11 Review	p. 187
Appendices
Appendix A Policy Baseline Checklist	p. 195
Policy Baseline	p. 195
Appendix B Sample Corporate Policies	p. 205
Conflict of Interest	p. 205
Employee Standards of Conduct	p. 208
External Corporate Communications	p. 211
Information Protection	p. 213
General Security	p. 214
Appendix C List of Acronyms	p. 215
Appendix D Sample Security Policies	p. 225
Network Security Policy	p. 225
Business Continuity Planning	p. 230
Dial-In Access	p. 231
Access Control	p. 233
Communications Security Policy	p. 234
Software Development Policy	p. 236
System and Network Security Policy	p. 237
Electronic Communication Policy	p. 238
Sign-On Banner	p. 242
Standards of Conduct for Electronic Communications	p. 243
E-Mail Access Policy	p. 244
Internet E-Mail	p. 246
Software Usage	p. 249
Appendix E Job Descriptions	p. 255
Chief Information Officer (CIO)	p. 255
Information Security Manager	p. 257
Security Administrator	p. 258
Firewall Administrator, Information Security	p. 260
Appendix F Security Assessment	p. 261
I. Security Policy	p. 261
II. Organizational Suitability	p. 264
III. Physical Security	p. 269
IV. Business Impact Analysis, Continuity Planning Processes	p. 273
V. Technical Safeguards	p. 278
VI. Telecommunications Security	p. 281
Appendix G References	p. 285
About the Author	p. 287
Index	p. 289

Available:*

On Order

Summary

Summary

Table of Contents