Scribd Logo
Upload

Welcome to Scribd!

  • Issp - Part 3 - Strategies and Policies For Is Security

    Uploaded by

    Binh Nguyen Huy
    7 views15 pages
    Issp

    Original Title

    Issp - Part 3 - Strategies and Policies for is Security

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Issp

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    7 views15 pages

    Issp - Part 3 - Strategies and Policies For Is Security

    Uploaded by

    Binh Nguyen Huy
    Issp

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 15

    INFORMATION

    SYSTEM
    STRATEGY AND
    POLICY
    2 0 1 7 U E D, V U T H I T R A
    STRATEGIES
    AND POLICIES
    FOR IS
    SECURIT Y
    PA R T 2

    VTT 2
    OBJECTIVES

    What are strategies and policies for information system security?


    6 key components
    How to write an information security policy

    VTT 3
    6 KEY POLICY COMPONENTS

    1. A definition of information security, its overall objectives and scope


    and the importance of security as an enabling mechanism for
    information sharing
    2. A statement of management intent, supporting the goals and
    principles of information security in line with the business strategy
    and objectives
    3. A framework for setting control objectives and controls, including
    the structure of risk assessment and risk management
    http://aim.uoregon.edu/news/ebriefing/critical_information_security_
    management_strategy.php

    VTT 4
    6 KEY POLICY COMPONENTS

    4. A brief explanation of the security policies, principles, standards, and


    compliance requirements of particular importance to the organization,
    including: compliance with legislative, regulatory, and contractual
    requirements security education
    5. A definition of general and specific responsibilities for information
    security management, including reporting information security
    incidents.
    6. References to documentation which may support the policy, e.g. more
    detailed security policies and procedures for specific information
    systems or security rules with which users should comply
    http://aim.uoregon.edu/news/ebriefing/critical_information_security_
    management_strategy.php
    VTT 5
    CUSTOM SECURITY
    POLICIES
    Get security policies for your business at

    http://www.instantsecuritypolicy.com

    VTT 6
    SECURITY POLICIES
    http://www.instantsecuritypolicy.com

    Acceptable Use Password


    Backup Network Access
    Incident Response
    Remote Access
    Email
    Guest Access
    Wireless
    Third Party Connection
    Network Security
    Confidential Data Encryption
    Mobile Device Data Classification
    Outsourcing Retention
    VPN Physical Security

    VTT 7
    HOW TO WRITE AN INFO
    SECURITY POLICY
    1. Create framework
    2. Make it about mandates
    3. Employing sub-policies
    4. Supplementary documents
    Roles and responsibilities
    Technology standards
    Process
    Procedures
    Guidelines
    CSO from IDG, 2017

    VTT 8
    HOW TO WRITE AN INFO
    SECURITY POLICY
    5. What an information security includes
    Scope
    Information classification (rather than generic "confidential" or
    "restricted)
    Management goals
    Context
    Supporting documents
    Specific instructions
    Responsibilities
    Consequences CSO from IDG, 2017

    VTT 9
    INFORMATION
    SECURIT Y
    STRATEGIC
    PL AN
    UNIVERSITY OF CONNECTICUT

    VTT 10
    IT SECURITY PROGRAM
    Risk
    Assessment

    Identify
    Measure
    Controls

    Implement
    Resource
    and Mitigate

    VTT 11
    STRATEGIC OBJECTIVES

    1. Data Loss Prevention


    2. Improved security of system and network services
    3. Proactive risk management
    4. Crisis and security incident management

    University of Connecticut

    VTT 12
    KEY INITIATIVES

    1. Security Policy, Standards and Guidelines framework


    2. Information Security Risk Management
    3. Operation Continuity and Disaster Recovery
    4. Identity and Access Management
    5. Network and System Security Architecture
    6. Information Security Awareness Training

    University of Connecticut

    VTT 13
    INFORMATION
    SECURIT Y
    STRATEGY IN
    ORGANIZ ATIONS
    HORNE ET AL., 2015
    AUSTRALASIAN CONFERENCE ON
    I N F O R M AT I O N S Y S T E M S

    VTT 14
    BUILDING INFORMATION
    SECURITY STRATEGY
    1. Information Security Strategy: Plan or Process?
    2. The Information Security Strategy Construction
    Conceptualisation
    Levels of analysis (individuals, groups, organizations)
    Measurement domains
    3. The Information Security Strategy Nomological Network
    Antecedents
    Constituents
    Yields
    Key findings of thematic analysis Horne et al, 2015

    VTT 15

    You might also like