Information Security Policy

Week 14
 Information Security Policy (ISP)
• Defined as “Documentation of measures
accepted by the management as necessary to
maintain confidentiality, Integrity and
Availability of information”
• A formal statement based on which people
are given access to organization's resources
and information assets
• Encompasses managerial, technological and
legal aspects
 Information Security Policy (ISP)
• Broadly comprise of 3 groups of management
– Managers who has budget and policy authority
– Technical groups who know what can be and what
cannot be supported by technology
– Legal experts who knows the legal ramification of
various policy charges
 Information Security Policy (ISP)
• The objective of Information Security is:
– Protection of the interest of those relying on
information, and the information systems and
communication that deliver the information, from
harm resulting from failures of availability,
integrity and confidentiality
• The objective is achieved when
– Information systems are available & usable when
required(Availability)
– Data & information are disclosed only to those
who has rights to know (Confidentiality)
– Data and information are protected against
unauthorized modification (Integrity)
 Approach to implement security
• Policy development
– The security objective and core principles provide
a framework for developing the policy
• Roles & responsibilities
– An effective policy requires individual roles,
responsibilities, and authorities clearly
communicated and understood by all
organizational members
• Design
– Develop security & control framework consisting
standards, measures, practices & procedures
 Approach to implement security
• Implementation
– Once the design approved, the policy should be
taken into action on a timely basis and maintained
• Monitoring
– Monitoring measures of the policy need to be
established to detect and ensure correction of
security breaches such that all actual and
suspected breaches are promptly identified,
investigated and acted upon to ensure ongoing
compliance with policy , standards and minimum
acceptable security practices
 Approach to implement security
• Awareness, training and education
– Awareness of the need to protect information,
training, in the skill needed to operate information
systems securely, and education in security
measures and practices are of critical importance
for the success of an enterprise security policy
 Areas covered by the ISP
• Access
– Ability to do something with a computer resource
– Refers to a technical ability (read, create, modify, or delete
a file, execute a program or use an external connection)
• Access control
– By which ability is explicitly enabled or restricted in some
way
– Computer based access controls can prescribe not only
who or what is to have access to a specific system
resource, but also the type of access that is permitted
– The controls for these may be built into
• Operating system
• Application programs
• DBMS
– Logical access control are built into computer systems or
external devices
 Areas covered by the ISP
• Access criteria
– In deciding whether to permit someone to use a
system resource, logical access controls examine
whether the user is authorized for the type of
access required
– The system uses various access criteria to
determine if the request for access will be
granted.
– Typical a combination of criteria are used
 Areas covered by the ISP
• Authorization
– Permission to use a computer resource
– Granted directly or indirectly
• Authentication
– Proving the users are who they claim to be
• Identity
– Usually unique to support individual accountability
• Roles
– When access to information is granted by the job
assignment access rights are grouped by the role
name of the job