Information Security Policies, Procedures, and Standards: Guidelines for Effective Security Management / Edition 2
by Thomas R. Peltier, Peltier R. Peltier
Information Security Policies and Procedures: A Practitioner’s Reference, Second Edition illustrates how policies and procedures support the efficient running of an organization. This book is divided into two parts, an overview of security policies and procedures, and an information security reference guide. This volume points out how security
… See more details belowOverview
Information Security Policies and Procedures: A Practitioner’s Reference, Second Edition illustrates how policies and procedures support the efficient running of an organization. This book is divided into two parts, an overview of security policies and procedures, and an information security reference guide. This volume points out how security documents and standards are key elements in the business process that should never be undertaken to satisfy a perceived audit or security requirement. Instead, policies, standards, and procedures should exist only to support business objectives or mission requirements; they are elements that aid in the execution of management policies.
The book emphasizes how information security must be integrated into all aspects of the business process. It examines the 12 enterprise-wide (Tier 1) policies, and maps information security requirements to each. The text also discusses the need for top-specific (Tier 2) policies and application-specific (Tier 3) policies and details how they map with standards and procedures.
It may be tempting to download some organization’s policies from the Internet, but Peltier cautions against that approach. Instead, he investigates how best to use examples of policies, standards, and procedures toward the achievement of goals. He analyzes the influx of national and international standards, and outlines how to effectively use them to meet the needs of your business.
Product Details
- ISBN-13:
- 9780849319587
- Publisher:
- Taylor & Francis
- Publication date:
- 06/11/2004
- Edition description:
- REV
- Pages:
- 412
- Sales rank:
- 1,255,485
- Product dimensions:
- 6.50(w) x 9.40(h) x 1.10(d)
Table of Contents
INFORMATION SECURITY POLICIES AND PROCEDURES
Introduction
Corporate Policies
Organizationwide (Tier 1) Policies
Organizationwide Policy Document
Legal Requirements
Duty of Loyalty
Duty of Care
Other Laws and Regulations
Business Requirements
Where to Begin?
Summary
Why Manage This Process as a Project?
Introduction
First Things First: Identify the Sponsor
Defining the Scope of Work
Time Management
Cost Management
Planning for Quality
Managing Human Resources
Creating a Communications Plan
Summary
Planning and Preparation
Introduction
Objectives of Policies, Standards, and Procedures
Employee Benefits
Preparation Activities
Core and Support Teams
Focus Groups
What to Look for in a Good Writer and Editor
Development Responsibilities
Other Considerations
Key Factors in Establishing the Development Cost
Reference Works
Milestones
Responsibilities
Development Checklist
Summary
Developing Policies
Policy Is the Cornerstone
Why Implement Information Security Policy?
Some Major Points for Establishing Policies
What Is a Policy?
Definitions
Policy Key Elements
Policy Format
Additional Hints
Pitfalls to Avoid
Summary
Asset Classification Policy
Introduction
Overview
Why Classify Information?
What Is Information Classification?
Where to Begin?
Resist the Urge to Add Categories
What Constitutes Confidential Information?
Employee Responsibilities
Classification Examples
Declassification or Reclassification of Information
Records Management Policy
Information Handling Standards Matrix
Information Classification Methodology
Authorization for Access
Summary
Developing Standards
Introduction
Overview
Where Do Standards Belong?
What Does a Standard Look Like?
Where Do I Get the Standards?
Sample Information Security Manual
Summary
Developing Procedures
Introduction
Overview
Important Procedure Requirements
Key Elements in Procedure Writing
Procedure Checklist
Getting Started
Procedure Styles
Procedure Development Review
Observations
Summary
Creating a Table of Contents
Introduction
Document Layout
Document Framework
Preparing a Draft Table of Contents
Sections to Consider
Summary
Understanding How to Sell Policies, Standards, and Procedures
Introduction
Believe in What You Are Doing
Return on Investment for Security Functions
Effective Communication
Keeping Management Interested in Security
Why Policies, Standards, and Procedures Are Needed
The Need for Controls
Where to Begin?
Summary
Appendix 1A Typical Tier 1 Policies
Introduction
Tier 1 Policies
Employee Standards of Conduct
Conflict of Interest
Employment Practices
Records Management
Corporate Communications
Electronic Communications
Internet Security
Internet Usage and Responsibility Statement
Employee Discipline
General Security
Business Continuity Planning
Information Protection
Information Classification
Appendix 1B Typical Tier 2 Policies
Introduction
Electronic Communications
Internet Security
Internet Usage and Responsibility Statement
Computer and Network Management
Anti-Virus Policy
Computer and Network Management
Personnel Security
Systems Development and Maintenance Policy
Application Access Control Policy
Data and Software Exchange Policy
Network Access Control
Network Management Policy
Information Systems’ Operations Policy
Physical and Environmental Security
User Access Policy
Employment Agreement
Appendix 1C Sample Standards Manual
Introduction
The Company Information Security Standards Manual
Table of Contents
Preface
Corporate Information Security Policy
Responsibilities
Standards
Appendix 1D Sample Information Security Manual
The Company Information Security Policy Manual
General
What Are We Protecting?
User Responsibilities
Access Control Policy
Penalty for Security Violation
Security Incident Handling Procedures
Virus and Worm Incidents
Malicious Hacker Incidents
INFORMATION SECURITY REFERENCE GUIDE
Introduction to Information Security
Definition of Information
What is Information Security?
Why Do We Need To Protect Information?
What Information Should Be Protected?
Fundamentals of Information Security
Introduction
Information Availability (Business Continuity)
Information Integrity
Information Confidentiality
Employee Responsibilities
Introduction
Owner
Custodian
User
Information Classification
Introduction
Classification Process
Reclassification
Information Handling
Introduction
Information Labeling
Information Use and Duplication
Information Storage
Information Disposal
Tools of Information Security
Introduction
Access Authorization
Access Control
Backup and Recovery
Awareness
Information Processing
General
Right to Review
Desktop Processing
Training
Physical Security
Proprietary Software — Controls and Security
Software Code of Ethics
Computer Virus Security
Office Automation
Information Security Program Administration
Introduction
Corporate Information Systems Steering Committee
Corporate Information Security Program
Organization Information Security Program Baseline Organization Information Security Program
Introduction
Pre-Program Development
Program Development Phase
Program Implementation Phase
Program Maintenance Phase
Appendix 2A
Information Handling Procedures Matrix
Glossary
Information Identification Worksheet
Information Risk Assessment Worksheet
Summary and Controls Worksheet
Risk Assessment: Self-assessment Questionnaire
Customer Reviews
Average Review: