Organizations need to develop information security policies for their operations. There are three types of information security policies, enterprise information security policy (EISP). issue-specific security policy (ISSP), and system-specific security policy (SysSP). Each of these policies serves a different purpose within an organization.
EISP deals with the organization's overall information security policies. It defines InfoSec for the organization and details the responsibilities of each department, as well as users, for InfoSec within the organization. It defines InfoSec as it relates to the organization and identifies critical components of InfoSec within the organization. This policy will also define staffing necessary to support InfoSec within the organization and will lay out how the InfoSec program will function throughout the organization and give a document that all other InfoSec policies will reference.
ISSP deals with how technology-based resources will be used and afforded InfoSec. It will define how the resources will be used, who may use them, and what restrictions there are with use of the resources. The policy defines physical security, who is authorized to use the resource, what is considered fair and responsible use of the resource, and what is considered misuse. It will stipulate what the organization can do to for systems management such as monitoring, physical security, virus protection, encryption, etc. There will be a timeline for scheduled reviews of the policy and procedures for modification.
With SysSP, the policy will address who exactly can use each system in the performance of their duties, what parts of each system a user can access, when the system is available for access, from where the systems may be accessed, as well as to what extent users can access the system. Each system may be set up with specific rights to information contained on that particular system that defines what type of access each user has, whether that is read only, write access, execute access, or delete access
No comments:
Post a Comment