Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

Policy Review (Top-Down) Methodology 83

3. System- and application-speciﬁc policies. These policies focus on one

speciﬁc system or application. As the construction of security architecture

for an organization takes shape, the ﬁnal element will be the translation

of program and topic-speciﬁc policies to the application and system level.

Typical subjects for application-speciﬁc policies include:

– E-mail usage

– Internet usage

– Anti-virus programs

The components of a program policy should include:

 Topic. The topic portion of the policy normally deﬁnes the goals of the

program. When discussing information, most program policies concentrate

on protecting the conﬁdentiality, integrity, availability, and authenticity of

the information resources. Additionally, it will attempt to establish that

information is an item of value to the enterprise and, as such, must be

protected from unauthorized access, modiﬁcation, disclosure, and destruc-

tion, whether accidental or deliberate.

 Scope. The scope is a way to broaden or narrow the topic, such as “all

information wherever stored and however generated.” This could expand

the topic on information security, whereas a statement such as “computer-

generated data only” would sharply narrow the topic scope. The scope

statement can also broaden or narrow the audience affected by the policy.

For example, the statement “the policy is intended for all employees” pretty

much takes in all the people working for the enterprise, whereas “personnel

with access to top-secret information” would limit the audience.

 Responsibilities. Typically, this section of the policy identiﬁes who is respon-

sible for what actions. The identiﬁcation is done using job titles, not actual

names. For a policy on information classiﬁcation, the roles can be described

as owner, custodian, and user. To be correct, ensure that every policy states

what individual or groups of people are responsible for what action.

– Compliance. A better term might be noncompliance. The policy will

generally discuss two issues regarding compliance: What actions occur

when an individual is found to be in noncompliance with the policy

– What actions the business unit must take when found in a noncompliant

situation

When critiquing a policy, remember to look for the four key elements:

1. Topic

2. Scope

3. Responsibilities

4. Compliance

Contents

ISO 17799 has established a set of guidelines for policy content. The NVA

top-down policy reviewer should be familiar with these guidelines, as well

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for Contents

Create new playlist

Sign In

Sign Up

Table of Contents for
Contents