Chapter 5: Policy Review (Top-Down) Methodology

Chapter 5

Policy Review (Top-Down)

Methodology

The cornerstones of effective information security programs are well-written

policy statements. This is the wellspring of all other directives, standards,

procedures, guidelines, and other supporting documents. As with any assess-

ment process, it is important to ensure that policies establish the direction

management wants to go with regard to security. The top-down portion of

the network vulnerability assessment (NVA) looks at the policies requested in

the Pre-NVA Checklist (see Appendix B).

The top-down review will assess policies in two ways:

1. Do they exist?

2. If so, how good is the content?

This chapter brieﬂy examines what makes a good policy statement. For an

in-depth discussion on information security policies, refer to the Information

Security Policies, Procedures, and Standards by T.R. Peltier (Auerbach Publi-

cations, 2001). We will use portions of that book here and will rely on ISO

17799 to identify what policies are necessary and what their content should

cover.

Deﬁnitions

Policy

A policy is a high-level statement of enterprise beliefs, goals, and objectives

and the general means for their attainment for a speciﬁed subject area. A

policy should be brief (which is highly recommended) and set at a high level.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for Chapter 5: Policy Review (Top-Down) Methodology