lecture 3 infosec

avatar
Created by
ayla rusdhy

Cards (11)

    • Policies serve as an outline for acceptable behavior and the use of information within an organization. 
    • Designed to create a productive and effective work environment. 
    • Policies function as low-cost form of control to prevent incidents involving information,
    • End users should be involved in forming policies
    • Should not conflict with law
  • Enterprise Information Security Policy (EISP)
    • Sets the strategic direction for the information security program at a high level
    • An overview of the corporate security philosophy.
    • Information on the information security organizations structure are the roles and responsibilities
    • EXAMPLE OF individual policy statements within an EISP: Company X information must be used only for the business purposes of the company as explicitly authorized by management.
  • Issue Specific Security Policies (ISSP)
    • Provides detailed and targeted guidance on using shared resources securely. At an organizational level.
    • Explains how technology should be used a controlled.
    • Introduces the organizations fundamental resource-use philosophy.
    • Can be created as : Individual policy documents, each tailored to a specific issue comprehensive policy to cover all issues
    • modular policy document combines policy creation and administration while maintaining each specific issues requirements. -- (most recommended ISSP)
  • Configuration Rules
    • Are instructions codes that guide the execution of the system when information is passing through it.
  • Controls in SysSP
    • Access control lists (ACLs)
    • Configuration settings
  • Access Control Lists (ACL)
    • Enable administrations to restrict access according  to use, computer, time, duration, or even a particular file.
    • Regulates who can use the system, what they can access, when they can access, where to access the systems and how authorized users can access the system.
  • ACL privilages:
    read
    write
    execute
    delete
  • System specific security policies (SysSP
    • Provides managerial guidance and technical specifications for  configuring or maintaining systems. At organizations low level policy. 
    • Similar to standards or procedures for dealing with specific systems, 
    • Any technology affecting the CIA of information must be evaluated using a SysSP. 
    • used for managerial guidance for new hardware and to address employee behavior 
    • Includes controls such as access control lists (ACLs) and configuration settings.