Automated Policy Management - This type of software was developed in response to the needs of information security practitioners.
Automation - It can streamline the repetitive steps of writing policy, tracking the workflow of policy approvals, publishing policy once it is written and approved and tracking when employees have read the policy.
Information Security Blueprint - It is the basis for all security program elements; a scalable, upgradeable, comprehensive plan to meet the organization's current and future information security needs.
Policies - This is the managerial directives that specify acceptable and unacceptable employee behavior in the workplace.
Policies - These are the living documents that must be managed.
Policies - These documents must be properly distributed, read, understood, agreed to, uniformly applied, and managed.
Four Components of Security Policies: Responsible Manager, Schedule of Reviews, Review Procedures and Practices, Policy and Revision Date
Policy manager is often called the Policy Administrator
Policy Administrator - It is an employee who is responsible for the creation, revision, distribution, and storage of a policy in an organization.
Schedule of Reviews - Policies can only retain their effectiveness in a changing environment if they are periodically reviewed for currency and then modified accordingly.
Schedule of Reviews - Policies are not kept can be come liabilities as outdated rules are enforced and new requirements are ignored.
Review Procedures and Practices - The policy manager should implement mechanism by which people can make recommendations for revisions, whether via e-mail, office mail, or an anonymous drop box.
Review Procedures and Practices - Once the policy has come up for review, all comments should be examined and management approved improvements should be implemented.
Policy and Revision Date - It is the simple action of dating the policy is often omitted.
Policy and Revision Date - When policies are drafted and published without dates, confusion can arise.
Sunset Clause - It indicated their expiration date, particularly if the policies govern information use in short term business association.
Sunset Clause - It is a component of policy or law that defines an expected end date for its applicability.
Information Security Framework - It is an outline or structure of the organization's overall information security strategy that is used as a road map for planned changes to its information security environment.
ISO 27000 - This is the standard information security policy.
Information Security Model - It is an established information security framework, often popular among other organizations add backed by a recognized security agency, with exemplar details an organization may want to emulate in creating its own framework blueprint.
Sphere of Security - It measures how well you're protected against intruders.
Sphere of Use - It refers to an area when a person can use something safely or freely.
Sphere of Protection - It designates an area in which a person is legally permitted to protect another person from any dangers that might exist there.
Sphere of Safety - This sphere requires attentiveness for overhead hazards, underground dangers, and surrounding risks.
Three Levels of Control: Managerial Control, Operational Control, Technical Control.
Managerial Controls - It focus on administrative planning, organizing, leading, and controlling, and that are designed by strategic planners and implemented by the organization.
Managerial Controls Safeguards are: Governance and Risk Management
Operational Control - It focus on lower-level planning that deals with the functionality of the organization's security.
Operational Control Safeguards are: disaster recovery and incident response planning.
Technical Control - It focus on the application of modern technologies, systems, and processes to protect information assets.
Technical Control safeguards are: firewalls, virtual private network, and IDPSs
Defense in Depth - A strategy for protection of information assets that uses multiple layers and different types of control that will provide optimal protection.
Redundancy - Multiple types of technology that prevent the failure of one system from compromising the security of information.
Security Perimeter - The boundary between an organization's security efforts and the outside world or untrusted network areas.
Security Domain - An area of trust within which information assets share the same level of protection.
Security Education, Training, and Awareness - A managerial program designed to improve the security of information assets by providing targeted knowledge, skills, and guidance for organizations.
Security Training - It provides employees with detailed information and hands-on instruction to prepare them to perform their duties securely.
Security Awareness - A program is one of the last frequently implemented but most beneficial programs in an organization.
Security Awareness - It is designed to keep information security at the forefront of users' minds.