Information Security Policies & Procedures

Slide 4

Thursday, March 15, 12

Roles of Policy
Internal External

Thursday, March 15, 12

Internal Role
What is expected from employee How their action will be judged

Thursday, March 15, 12

External Role
Tell the world how the Enterprise run Policies to support business practices Understanding of assets is vital and must
be protected

Thursday, March 15, 12

Policy

Direction from Senior Management

Specic Security Rules

Thursday, March 15, 12

?
Management Decision

3 Forms of Policy
Tier 1 (General Program) Tier 2 (Topic-Specic) Tier 3 (System/App-Specic)

Thursday, March 15, 12

Tier 1

To create the organizations overall vision

and direction

Thursday, March 15, 12

Tier 2

Address particular subjects of concern.

Thursday, March 15, 12

Tier 3
Focus on decisions taken by management

to control particular applications (nancial reporting, payroll, etc.) or specic systems (budgeting system)

Thursday, March 15, 12

Tier 1
Organization Wide 11 Policies Minimum Implemented to support entire business/
mission of the enterprise

Thursday, March 15, 12

1 Employment Practices
To ensure all candidates get an equal
opportunity for a position

Hiring & New Employee Orientation Background checks for key management
level

Thursday, March 15, 12

2 Employee Standards of Conduct

How employees conduct themselves when
on company property or representing organization.

Unacceptable behaviors (Dishonesty,

Sleeping on job, Substance abuse, Introduction of unauthorized software into company system) + Penalties

Thursday, March 15, 12

3 Conict of Interest
Employees must have a special sensitivity to
conict-of-interest situations or relationships,

Inappropriateness of personal involvement

Thursday, March 15, 12

4 Performance Management
Employee job performance is use in
determining an employees appraisal be included as an element that affects the level of employee performance

Information security requirements should

Thursday, March 15, 12

5 Employee Discipline
Is used when things going wrong Implement sanctions on an employee or
group of employees

Ensure that all involved in the investigation

are properly protected

Thursday, March 15, 12

6 Information Security
Established the concept that information is
an asset and the property of the organization asset

All employees are required to protect this

Thursday, March 15, 12

7 Corporate Communications
What is and is not allowed in organization
correspondence

Address information request from outside

organization (white papers, brochures, press conference, etc)

Thursday, March 15, 12

8 Workplace Security
Address the need to provide a safe and Include: authorized access, visitor
secure work environment for employees requirements, property removal, emergency response plans, etc)

Thursday, March 15, 12

9 Business Continuity Plan

IT Disaster Recovery Plan Focus: establish business unit procedures to
support restoration of critical business process, applications and systems

Thursday, March 15, 12

 Establish effective continuity plans. Conduct business impact analyses for all
Thursday, March 15, 12

applications, systems, and business processes. Identify preventive controls. Coordinate the business unit BCP with the IT disaster recovery plan. Test the plan and train its employees on the plan. Maintain the plan to a current state of readiness.

10 Procurement & Contracts

The way in which the organization
contracts conducts its business with outside rms

Address items that must be included in any the policy applies to all employees,
contractors, consultants, per diem, and other third parties. (???)

Thursday, March 15, 12

11 Record Management
There will be a time to destroy a records establish the standards for ensuring
information is there as required by regulations information

when it is time to properly dispose of the

Thursday, March 15, 12

 The record name A brief description of the record The owning department The required length of time to keep the
record

Thursday, March 15, 12

12 Asset Classication
Establishes the need to classify information,
the classication categories, and who is responsible for doing so

The classication level The owners job title

Thursday, March 15, 12

ISM Documentations
Policy

Standards

Procedures

Guidelines

Thursday, March 15, 12

Definitions
Policy
A high-level statement of enterprise beliefs, goals, and objectives ant the general means for their accomplishment for a specified subject area

Standards
Mandatory requirements that support individual policies. Such as: what software or hardware can be used, what remote access protocol is to be implemented, who is responsible for approving what

Thursday, March 15, 12

Definitions
Procedures
Mandatory, step-by-step, detailed actions required to successfully complete a task

Guidelines
More general statements designed to achieve the policys objectives by providing a framework within which to implement procedures Not a law, just recommendations

Thursday, March 15, 12

Document Policies
Policy Statement Responsibilities Scope Compliance
Thursday, March 15, 12

Policy Statement
Information is a company asset and is the
property of the Company. Company information must be protected according to its value, sensitivity, and criticality, regardless of the media on which it is stored, the manual or automated systems that process it, or the methods used to distribute it.

Thursday, March 15, 12

Responsibilities
1. Company ofcers and senior management are required to make sure that internal controls are adequate to safeguard company assets, including company information. 2. Company line managers are responsible for making sure that all employees are aware of and comply with this information security policy, its supporting policies and standards, and all applicable laws and regulations. 3. All employees, regardless of their status (permanent, part-time, con- tract, etc.), are responsible for protecting information from unauthorized access, modication, disclosure, and destruction.
Thursday, March 15, 12

Scope
Company information includes information

that is electronically generated and information that is printed, typed, lmed, or verbally communicated.

Thursday, March 15, 12

Compliance

Company management is responsible for monitoring compliance with this information security policy, its supporting policies and standards, and all applicable laws and regulations. Employees, regardless of their status (permanent, part-time, contract, etc.), who fail to comply with this information security policy, its sup- porting policies and standards, or any applicable law or regulation will be considered in violation of their terms of employment and will be subject to appropriate corrective action.

Thursday, March 15, 12

Task
Create Information Protection Policy Case: Based on your IMT Information
Potential Breach

Thursday, March 15, 12