Information Security Policy in Depth Excerpt

Information Security Policy

Learn Policy by Writing, Analyzing and Reviewing Policy Fragments With a Series of Guided Labs and Exercises

It never ceases to amaze me that you can't take a class in Information Security without being told to do this or that in accordance with "your security policy," but nobody ever explains what the policy is, let alone how to write or evaluate it. That is why we undertook this research and education project on basic security policy. We hope you will find this module useful and that you will participate in its evolution. Consensus is a powerful tool. We need the ideas and criticisms from the information security community in order to make this, "The Roadmap," a usable and effective policy. Thank you!

Stephen Northcutt

SMART Security Policy and Procedure

•! Specific, Measurable, Achievable, Reasonable, Time Based –!Who does the procedure? –!What is the procedure? –!When is the procedure done? –!Where is the procedure done? –!Why is the procedure done?

How Specific Should Your Security Policy Be?

•! There really is no one-size-fits-all answer •! Remember it is usually easier to get a procedure approved or changed •! Largely depends on your organization’s policy review turnaround time

General or specific and why?

"Secret shall be applied to information the unauthorized disclosure of which reasonably could be expected to cause serious damage to the national security that the original classification authority is able to identify or describe."

General or specific and why?

•! "Equipment which is working, but reached the end of its useful life will be made available for purchase by employees. A lottery system will be used to determine who has the opportunity to purchase available equipment. •! All equipment purchases must go through the lottery process. Employees cannot purchase their office computer directly or “reserve” a system. This ensures that all employees have an equal chance of obtaining equipment. •!...