Académique Documents
Professionnel Documents
Culture Documents
Slide 4
Roles of Policy
Internal External
Internal Role
What is expected from employee How their action will be judged
External Role
Tell the world how the Enterprise run Policies to support business practices Understanding of assets is vital and must
be protected
Policy
?
Management Decision
3 Forms of Policy
Tier 1 (General Program) Tier 2 (Topic-Specic) Tier 3 (System/App-Specic)
Tier 1
Tier 2
Tier 3
Focus on decisions taken by management
to control particular applications (nancial reporting, payroll, etc.) or specic systems (budgeting system)
Tier 1
Organization Wide 11 Policies Minimum Implemented to support entire business/
mission of the enterprise
1 Employment Practices
To ensure all candidates get an equal
opportunity for a position
Hiring & New Employee Orientation Background checks for key management
level
Sleeping on job, Substance abuse, Introduction of unauthorized software into company system) + Penalties
3 Conict of Interest
Employees must have a special sensitivity to
conict-of-interest situations or relationships,
4 Performance Management
Employee job performance is use in
determining an employees appraisal be included as an element that affects the level of employee performance
5 Employee Discipline
Is used when things going wrong Implement sanctions on an employee or
group of employees
6 Information Security
Established the concept that information is
an asset and the property of the organization asset
7 Corporate Communications
What is and is not allowed in organization
correspondence
8 Workplace Security
Address the need to provide a safe and Include: authorized access, visitor
secure work environment for employees requirements, property removal, emergency response plans, etc)
Establish effective continuity plans. Conduct business impact analyses for all
Thursday, March 15, 12
applications, systems, and business processes. Identify preventive controls. Coordinate the business unit BCP with the IT disaster recovery plan. Test the plan and train its employees on the plan. Maintain the plan to a current state of readiness.
Address items that must be included in any the policy applies to all employees,
contractors, consultants, per diem, and other third parties. (???)
11 Record Management
There will be a time to destroy a records establish the standards for ensuring
information is there as required by regulations information
The record name A brief description of the record The owning department The required length of time to keep the
record
12 Asset Classication
Establishes the need to classify information,
the classication categories, and who is responsible for doing so
ISM Documentations
Policy
Standards
Procedures
Guidelines
Definitions
Policy
A high-level statement of enterprise beliefs, goals, and objectives ant the general means for their accomplishment for a specified subject area
Standards
Mandatory requirements that support individual policies. Such as: what software or hardware can be used, what remote access protocol is to be implemented, who is responsible for approving what
Definitions
Procedures
Mandatory, step-by-step, detailed actions required to successfully complete a task
Guidelines
More general statements designed to achieve the policys objectives by providing a framework within which to implement procedures Not a law, just recommendations
Document Policies
Policy Statement Responsibilities Scope Compliance
Thursday, March 15, 12
Policy Statement
Information is a company asset and is the
property of the Company. Company information must be protected according to its value, sensitivity, and criticality, regardless of the media on which it is stored, the manual or automated systems that process it, or the methods used to distribute it.
Responsibilities
1. Company ofcers and senior management are required to make sure that internal controls are adequate to safeguard company assets, including company information. 2. Company line managers are responsible for making sure that all employees are aware of and comply with this information security policy, its supporting policies and standards, and all applicable laws and regulations. 3. All employees, regardless of their status (permanent, part-time, con- tract, etc.), are responsible for protecting information from unauthorized access, modication, disclosure, and destruction.
Thursday, March 15, 12
Scope
Company information includes information
that is electronically generated and information that is printed, typed, lmed, or verbally communicated.
Compliance
Company management is responsible for monitoring compliance with this information security policy, its supporting policies and standards, and all applicable laws and regulations. Employees, regardless of their status (permanent, part-time, contract, etc.), who fail to comply with this information security policy, its sup- porting policies and standards, or any applicable law or regulation will be considered in violation of their terms of employment and will be subject to appropriate corrective action.
Task
Create Information Protection Policy Case: Based on your IMT Information
Potential Breach