Answered You can buy a ready-made answer or pick a professional tutor to order an original one.
If an organization is going to have a chance at a successful security program they need to develop policies that provide direction for all security efforts and guide the conduct of the users. These po
If an organization is going to have a chance at a successful security program they need to develop policies that provide direction for all security efforts and guide the conduct of the users. These policies need to be well written to provide the organization with solid guidance to support their security objectives.
- Identify and briefly describe the three types of security policies. Your response should include a discussion of where each should be used.
- Where should policy writers look to find supporting material when developing the policies for their organization?
Policies function like laws in an organization because they dictate acceptable and unacceptable behavior there, as well as the penalties for failure to comply. Like laws, policies define what is right and wrong, the penalties for violating policy, and the appeal process. Standards, on the other hand, are more detailed statements of what must be done to comply with policy. They have the same requirements for compliance as policies. Standards may be informal or part of an organizational culture, as in de facto standards. Or, standards may be published, scrutinized, and ratified by a group, as in formal or de jure standards. Practices, procedures, and guidelines effectively explain how to comply with policy. Figure 4-2 shows the relationships among policies, standards, guidelines, procedures, and practices. This relationship is further examined in the nearby Offline feature.
The meaning of the term security policy depends on the context in which it is used. Governmental agencies view security policy in terms of national security and national policies to deal with foreign states. A security policy can also communicate a credit card agency's method for processing credit card numbers. In general, a security policy is a set of rules that protects an organization's assets. An information security policy provides rules for protection of the organization's information assets.
Management must define three types of security policy, according to Special Publication (SP) 800-14 of the National Institute of Standards and Technology (NIST):
1.Enterprise information security policies
2.Issue-specific security policies
3.Systems-specific security policies
Figure 4-2 Policies, standards, guidelines, and procedures
Several published information security frameworks by government organizations, private organizations, and professional societies supply information on best practices for their members
- @
- 732 orders completed
- ANSWER
-
Tutor has posted answer for $20.00. See answer's preview
*** ***** ***** ** ******** policies are:1Enterprise *********** ******** ******** (EISP)2Issue-Specific ******** Policies ******************** Security PoliciesA ***** description ** **** type ** ******** policies:1)Enterprise Information Security Policies ****** ** also referred ** asgeneral security policy These *** documents from *** ********* level ** shape *** security ********** ** ***** ********** company's ** *********** ***** ********* ***** ** ********** *** *** *********** implementation *** ********** ** the ******** ******* ****** the ***************** ******** ********* the requirements *** ****** responsibilities ** the ******* ***** ** ******** ************** ******* ** **** the definition ** ***** *********** ******* *** ************* ** the ******* It **** ******* *** legal ********** ****** ** is ******* by *** ****** **** *** ***** *********** ******** ******* (CISO) ** *** ************ guiding the ****** ********** ******** ProgramThese ******** support *** ******* ****** *** ********** ** an ************ These ******** basically ******* ***** ** laws *** *** protection ** an ************** information ****** *** policy **** *** direction ***** and **** for *** ******** ******* *** policy ** ******** **** if ***** ** * ****** ** *** ********* ********* of *** **************************** policies ****** these policies *** designed ** ********** *** manage *** end ****** ***** ** ********* ******** ****** ****** activities **** ** support *** ************* ******** ***** and objectives ***** ******** are ******* on all ********* *** *** ****** ** the **************** resources like ******* ******** ******** other devices ******** ******** *** ****** **** applications e-mail Internet ****** ****** BYODs ****** Your *** ******** such ** the ************* ********* ******* ****** ****** and network ** **** *** usage ** *** cloud *** ******** ******* *** ******* ************ policies ******* specific ************ requiring ******** ******* *** ********** ********** ** *** **************** position on specific ****** These ******** ******* *** ******** on ********* *** has ****** to *** ******** ***** of ******** ****** ** ********* ** ******* ******** ***** ** ********* and ******* ********** *** ************ ** ********** ******* ************************ ******** ******** SysSP ** unique **** ******** to EISP *** **** ** is * *** of ******** functioning as ************ ** procedures **** **** *********** ******* ** * ********* ********** ******** documents ** ***** *** ************* ** technology intended devices ********* ********** ********** etc ** ******* *********** ******** ** *** ************ ******** ****** ** *** ** *** ** *** ******** ********** ******* ** differs **** other policy ***** *** its ******* ********** ********* ***** **** implemented system-specific policies *** ********* *** ***** software and ***** ************ ** ***** ************** support personnel *** ***** ******* employees ** *** ******* *** it ** * ***** ** ** **** * manual ** procedures illustrating ** *** ******* ****** ** ********** ** *********** ********** of where **** should be **************** ******** ******** or Enterprise Information ******** *********** **** ****** ** ************* ********* ********* enterprise ************ in ******* both ****** and ******* ****** ********* ********** agency ******* companies and ******* ** ******* *********** security ******** *** ** *** *** **** anywhere and everywhere ***** information ** rest *** ** ******* *** to ** safegaurded for securing **** from *** *************** ********* and ************ *********** Specific Policies ****** *** independent *** *** **** covering specific ****** like * specific ********** ** ******** *** its ***** *** are meant *** ******** **************************** ******** ******** ***** *** **** ****** in ********* ********* ** ****** ** enterprise environmentsThese ******** *** **** targeted documents ******* to **** ******** systems **** *** ******** ** ** addressed ***** **** system ** workplaces needs *** own Systems-specific Security ******** ** define *** ******* *** ** ********* how ** be ********** *** *** it ** ********* ***** *** thepolicy ********* **** ********** material when developing the policies *** ***** organization **** ****** look ** ******* published information security ********** ** ********** organizations ******* organizations and ************ ********* that ****** *********** on **** ********* *** ***** ************* ********** **** ***** ** *** ********* ********* ** *** National ********* of ********* and ********** ****** **** *** refer ** *** *********** such as *** *** ***** ********** which *** **** detailed ********** ** **** **** ** **** ** comply ********** ** ******** **** **** requirements for ********** as ******** **** *** **** ***** to *** ********* *** *********** ********* *** ***** is **** ******** ** * ***** ** ****** ** *** **** ************* ****** ******* could also look ** and refer ** *** ********* ********** *** ********** ********** ** *** ** ****** **** ********** ** evident the ****** writers should ************ look ** *** three ***** of security ******** ****** ********** information ******** ******** ****** ***** ******** policies ****** *** *************** Security ****** *****