2 - Report : Information security policy of the organization
Security What is the policy ?
• Security policy this - the organization protection
for the purpose of to do increased security control
descriptive high impressive document or documents
collection.
• Security
policy
confidentiality,
usability, integrity and asset value
keeps.
• Security without politics, organization too to be possible
criminal things , of profit disappearance and transparency like the circumstances ahead to take impossible .
Security What is politics? need?
Various weaknesses as a result harvest was security to threats against struggle and him/her
information from the disappearance protection for;
The organization all functions safe in a way implementation for;
External information to threats the company's encounter to be reduction for;
Security policy on the network what rules use need, confidential
information what preservation and organization information openly to be and obligations
reduction for from where encryption algorithms need determination through legal defense
provides;
Security policies threats happened from being before prophecy and weaknesses
determination through security breakdowns the probability of the situation reduces;
Reserve copy and again restoration their actions current to do through organization information
disappearance and come out the risk of leaving minimizes.
Benefits of security policies
Reinforced information and network security
Risks reduction
Use of devices and information transfer monitoring and
controlled
Network high productivity
Quick response to problems to give and motionless of time shortage
In charge stress level decrease
Costs decrease
Security of the policy hierarchy
Ush this politicians in the organization every employee to do
Laws
which should increase the laws installs.
Normative documents employees to the laws compliance
that it will .
Normative
documents
Policies with the help of, organization own network for safety
legal and internal network requirements develops.
Policies
Standards
Standards policy implementation
methods describes.
Instructions organization policy and standards
to do increase strategy determines.
Instructions
Treatments
Treatments organization enforce policies
the process to do amplifier go away
stages is a collection.
General rules by choice
advice with provider thing.
General rules
Characteristics of a good security policy
Useful
to be
Economy based
to be
Short and definitely
Understandable to be
Practical to be
Stable to be
Cyber and legal
to the laws,
to standards,
to the rules and
to the instructions suitable
to be
Relatively durable
to be
Security of the policy content
Security requirements
• Ush this security statement policy to do system in progress for requirements
characterizes. Security demands 4 types available:
• Discipline security requirements
• Security guard requirements
• Therapeutic security requirements
• Warranty security requirements
Politics description
• This in the main part focus on safety order, protection, procedures,
of actions connection and to document is directed.
Amal's security concept
• Ush this concepts security of the policy roles, responsibilities and
functions determines.
Elements location architecture
• Ush this the policy is in the program every one for the system computer systems architecture
location provides.
Politics typical content
Politics important departments the following:
• security of the policy general description politics seeing exit need
the main one the information present will;
• goal – what is the policy? for that it was created detailed explanation;
• movement field whom and what cover to take about information own
inside takes;
• rules and responsibilities employees and for management is determined;
• purposeful audience this - politics work emerging users and
are customers;
• policies this – security of the policy for each aspect is a statement;
• sanctions and violations customers and users compliance to do
need was permission give/refuse the process of determines;
• contact information politics sanctions and/ or breakdowns when who contact with about the need information ;
• version number in politics all changes and updates correct
to be observed provides;
• glossary in politics used various term and abbreviations
meaning inside will take.
Security policy statement
The organization security policy if exactly and short from statements consists of if,
will be successful.
Policy statement this – organization policy deep composition determining structure.
Policy Statements to employees prevention measures to understand help gives.
Ideal security policy to the statement example: “from the data use permissible activity
at the request of is based and subjects official confirmation from the process to pass "need".
Above politics in the statement employees from the data only management from confirming then
uses exactly indicated. If any employee security to the statement compliance not doing it ,
organization necessary measures to see right said can be concluded.
Security policy creation and to do
steps to increase
3. Control
1. Risks assessment:
organization their policy
from development before own
for assets risks
assessment condition.
2. Standard general
rules: organization own
security policy
from development before
general the rules
must be installed.
introduction: new
security policy
to develop or
in addition to the existing one
in the input process
manager to be condition.
4. Penalties: known
in organizations strict
policies are in place. If
employees this
to policies if it does not work,
to them against one how much
measures is used.
6. Employees by
acceptance:
5. Final development:
management full policy
documents confirmation
with they are in the organization
to everyone distributed.
organization by
security policy
to employees reception
to be done required.
7. Implement the policy
to do: in the organization
politics implementation
for additional current
to do tools
9. View and update:
organization own work
for a long time since to do
increasing if also,
security policy
again consideration
required.
8. Employees teaching:
to employees organization
security policy
continuous in a way
training condition.
to be possible.
Develop a security policy outgoing
considerations
Politics purpose What? This Is it an additional cost? or simply formality?
Security is something training to the program Does it fit ?
Security Policy organization goals Does it match ?
Politics better practice for general Will there be rules or should it be based on a standard?
This politics control how many people under? They are Who are they?
Every at least one employee What should he know?
Indeed this is in politics all written Do you need details or is it IT? employee for special Is it written?
How to do politics semantic organization to do Is it possible?
Employees from politics what they understand need?
Security policy design
you use planned policies work exit
Politics the purpose explanation
Short in time which does not require updating security policy work exit
Policies, standards and recommendations separation
The organization main goals present to do
Politics understandable to be make sure
Organization policy to safety due part of the training to be
Expected the main risks determination
Politics that it is done inspection
Security policy successful to do in progress recommendations :
• Security policy of the organization relevant management by support
and official in a way the company's policy as reception to be done
provision.
• Each politics consideration and organization inside what application to think about.
• To politics suitable suitable of means to the existence confidence to produce.
• Network or politics optional exchange need about the plan creation.
• Politics support for treatments installation for in the organization any department
(for example, IT, AH and (with) to work.
• The organization security according to basic training courses with provision.
• Safety policy politics managed information from assets use to the right
owned all employees for to present.
• Information security employee security policy management and to do increase for
to be responsible.
• Security policy suitable management for the organization necessary was technology and
tools with provided confidence to produce.
• To the organization visit orderers for from the network use opportunity given
in case, it acceptable politics based on to do increase.
Information security policies types
Organization information security policy (Enterprise Information Security
Policies, (EISP)
• EISP organizations them for safe to the environment ideas, goal and methods offer to do through
support – empowers. He security programs work exit, to do increase and management for
methods determines. This policies also, offer done and demand done information
security structure requirements guarantees.
To the problem directed security policies (Issue-Specific Security Policies,
ISSP)
• This policies in the organization exactly one security to the problem directed will be. This security
policies scope and application field problem type and then used to methods
related will be. In it preventive measures, for example, users entrance the right
authorization for damage was technologies indicated.
To the system directed security policies (System-Specific Security Policies,
SSSP)
• CCI what to do increase in the organization any of the system general security goal does.
Organizations the system support - strengthening for the purpose of treatments and standards own inside received this
of the kind policies work come out and They manage. Organization by used
technologies also to the system directed policies own inside will take. This politics technology
implementation and adjustment and user actions to account will take.
From the Internet use policy
Irregular politics (Promiscuous Policy)
• Ush this politics system from resources use no what restrictions will not let. For example,
irregular Internet policy with From the Internet to use restrictions will not let.
User desired to the site entry, desired the program loaded to take and far from the place
a computer or network entrance possible.
Permission to give based politics (Permissive Policy)
• This to politics according to only known dangerous services/ attacks or actions is blocked.
For example, permission to give based Internet in politics one how much famous and harmful
services/ from attacks except for Internet traffic the main part will be open.
Paranoid policy (Paranoid Policy)
• Paranoid to politics according to everyone thing is prohibited. System or from the network user
organization on their computers strict restrictions exists will be. In this case To the Internet generally
not connected or strict restrictions connected with It could be.
Caution policy (Prudent Policy)
• Caution policy all services blocking since it was done then It is connected .
Administrator safe and necessary to services individual in a way permission gives. This maximum
security provides and system/network activity records everything like
Acceptable usage policy
• Politics this type calculation from resources correct
defines the use.
• In it of users own in their accounts exists
was the information protection to do obligation
indicated.
• User online or On the Internet to the computer
policy restrictions on access reception to do need .
• Caution policy principles, prohibitions, seeing
exit and punishment measures own inside takes and
the user personal for reasons according to corporate
from resources prohibits its use.
Acceptable usage policy
• Acceptable use policy information security
of the policy inseparable is part of
• In general when you get it, organizations their own new
to employees information from resources to use permission
from giving before acceptable use policy according to
acquaintance for They will sign.
• Acceptable use policy users IT
in the infrastructure what to perform need and
what failure to comply need about main
aspects inside will take.
• Acceptable use policy correct to do to the increased
confidence harvest to do for, administrator permanent
safety audit take to go need .
Acceptable usage policy
• For example, majority organizations own on their websites and
in their mailboxes to politics related and religious on topics
negotiations take to go prohibits.
• Acceptable use policies mostly
for violating the policy punishments are imposed.
• Such punishments user account temporarily closed
from putting by pulling legal actions like sharp
measures own It can be taken in.
PLEASE NOTE FOR
THANK YOU!!!