Mcap

Kriss Smith

Chapter 1 Review questions

University of Potomac

Abstract

This paper will explore various aspects of information security, policies and practices within a company. In addition, will outline the differences between policies, standard and practices and identify the situations in which when each should be used. Last but, not least we’ll also identify the components of an effective EISP and ISSP?

Introduction

Management plays a major role in regards to information security policies and practices, but the question is how big of a role and what does that role consist of? Management must make policies the basis for all information security planning, design, and deployment. Policy should never contradict law. Management teams are faced with tough tasks when implanting these three concepts into the workplace. There’s notable differences between a policy, standard a practice, as well as, different scenarios when each would be used.

What are the differences between a policy, a standard, and a practice? What are the three types of security policies? Where would each be used? What type of policy would be needed to guide use of the Web? E-mail? Office equipment for personal use?

A policy is a set of guidelines or instructions that regulate the activities of the organization’s members. They are organizational laws. Standards are more detailed descriptions of what must be done to adhere to policy. Practices effectively explain what must be done to comply with policy.

1. Enterprise information security policies: the general security policy, IT security policy, or information security policy. Based on and supports the mission, covers responsibilities that are shared by all members of the organization and articulates the responsibilities that are unique to each role in the company. 2. Issue-specific security policies: Address specific areas of technology. May cover topics like use of company-owned networks and the internet, electronic...