SlideShare una empresa de Scribd logo

The Role of Information Security Policy

Descargar como DOCX, PDF
Robot Mode
Robot Mode

A paper I wrote for an information security class at UOP.

TecnologíaNoticias y política
1 de 6
THE ROLE OF INFORMATION SECURITY POLICY The Role of Information Security Policy Jarin Udom CMGT/400 November 22, 2013 Eric Clifford 1
THE ROLE OF INFORMATION SECURITY POLICY 2 The Role of Information Security Policy According to Kevin Mitnick, one of the world’s most famous (or infamous) hackers, “companies could spend millions of dollars towards technological protections and that's money wasted if somebody could basically call somebody on the telephone and either convince them to do something on the computer which lowers the computers defenses or reveals the information that they're seeking” (PBS, n.d.). Technical defenses have become increasingly sophisticated, but the human element is still the biggest—and will likely continue to be the biggest—security vulnerability at any organization. Although not completely effective, arguably the best ways to mitigate this risk are policies, standards, and a concerted organizational effort to train and educate employees and others working for the organization. Policies and Standards What is the difference between information security policies and standards? Information security policies outline the ways an organization will protect information in the form of highlevel business rules and guidelines (PJ, 2009). Information security standards dictate more detailed requirements for how an organization will implement those policies (PJ, 2009). For example, an information security policy may require all sensitive emails be encrypted and digitally signed. The corresponding standard may specify that all sensitive email is to be encrypted and digitally signed via PGP, using a 2048-bit key size and the RSA algorithm. Policies In any organization, it’s important to start with a high level security policy before considering standards, guidelines, or procedures. A security policy addresses the overarching goals, concerns, and risks of the organization’s overall information security efforts. Information
THE ROLE OF INFORMATION SECURITY POLICY 3 security policies are “made by management when laying out the organization’s position” (Conklin, White, Williams, Davis, Cothren, & Schou, 2011) on organizational security issues. According to Diver (2006), when developing a security policy it’s important to consider the company’s level of process maturity. She further elaborates that aiming too high at first, especially in large organizations, “isn’t likely to be successful for a number of reasons including lack of management buy-in, unprepared company culture and resources and other requirements not in place” (Diver, 2006). Since information security policies are generally created by management, it’s also important to assemble a team of subject matter experts to provide information and assist managers and executives during the process. Standards Most standards in an organization are developed based on the organization’s high-level security policy. However, according to Conklin et al. (2011), other standards are “externally driven. Regulations for banking and financial institutions, for example, may require certain security measures be taken by law.” Once a security policy is in place, engineers and subject matter experts can begin the task of determining the best standards for implementing the individual goals of the policy. For general information security, the National Institute of Standards and Technology’s (NIST) Computer Security Resource Center is an excellent place to start. NIST’s website contains a plethora of recommended cybersecurity standards and best practices. Similarly, the Open Web Application Security Project’s (OWASP) wiki is a community-maintained resource for web and other application security recommendations and vulnerabilities. Finally, the organization may wish to employ subject matter experts and consultants to develop standards based on industry-standard best practices and experience. Role of Employees
THE ROLE OF INFORMATION SECURITY POLICY 4 As stated above, people are the weak link in any organizational information security plan. Most people realize that employees with trusted access privileges may abuse their access to compromise an organization’s information. However, as Kevin Mitnick illustrated, employees can also be unwittingly tricked into divulging sensitive information or information that can assist an intruder in compromising computer systems. Organizations must include human factors in their security policies, and they must take efforts to inform employees and others working for the organization about policies, standards, procedures and guidelines. It is absolutely essential that employees understand that information compromises can have serious consequences, not just for the organization but also for the employee themselves. Employees and others working for the organization must be ever vigilant against social engineering attempts, phishing, physical security, and other human-oriented intrusion attempts. For example, an intruder may attempt to gain access to a secure facility by waiting for an authorized employee to swipe their security badge and then following them through the door, or “piggybacking”, before it closes. Organizations can prevent this kind of intrusion by implementing clear policies that every person passing into a secure area must swipe their badge before entering. This kind of policy counteracts the normal human tendency to avoid inconveniencing others. Another example might be an intruder attempting to gain sensitive security information over the phone. Kevin Mitnick famously exploited the natural human tendency to be helpful by calling government agencies and posing as a fellow employee who was having technical problems, and he was able to convince employees to give him the names of computer systems and even execute commands on his behalf (PBS, n.d.). Employees should verify the identity of any unknown caller, even if they claim to be in distress or a high-level executive (another
THE ROLE OF INFORMATION SECURITY POLICY 5 common tactic). However, an exception can be made for familiar voices, as studies have shown that people are quite good at recognizing voices—an accuracy rate of 92% when hearing a familiar voice for only 5.3 seconds and an accuracy rate of 79% when hearing a barely familiar voice for 15.3 seconds (Kreiman & Sidtis, 2011, p. 177). Conclusion As Kevin Mitnick said, “the human side of computer security is easily exploited and constantly overlooked” (PBS, n.d.). While the proliferation of botnets, worms, and easily available “script kiddy” tools has clearly made the role of technological information security measures more important than ever, the human element remains the weak point of any information security plan. In order to mitigate this risk, organizations must develop clear information security policies and then use them to develop standards to be implemented throughout the organization. In addition, they must train and educate employees about both the risks and importance of social engineering attempts, phishing, physical security, and other human-based intrusion attempts.
THE ROLE OF INFORMATION SECURITY POLICY 6 References Conklin, A., White, G., Williams, D., Davis, R., Cothren, C., & Schou, C. (2011). Principles of Computer Security CompTIA Security+ and Beyond (Exam SY0-301). (3 ed.). New York, NY: McGraw Hill Professional. Diver, S. (2006). Information security policy - a development guide for large and small companies.SANS Institute Reading Room, Retrieved from http://www.sans.org/reading-room/whitepapers/policyissues/information-security-policydevelopment-guide-large-small-companies-1331 Kreiman, J., & Sidtis, D. (2011). Foundations of voice studies: An interdisciplinary approach to voice production and perception. (1st ed., p. 177). John Wiley & Sons. Retrieved from http://books.google.com/books?id=gwu48EvAXIsC PBS. (n.d.). Testimony of an ex-hacker. Retrieved from http://www.pbs.org/wgbh/pages/frontline/shows/hackers/whoare/testimony.html PJ. (2009, February 03). What are policies, standards, guidelines and procedures?. Retrieved from http://mindfulsecurity.com/2009/02/03/policies-standards-and-guidelines/

Recomendados

Information security governance
Information security governanceInformation security governance
Information security governanceKoen Maris
 
Privacy and Data Security
Privacy and Data SecurityPrivacy and Data Security
Privacy and Data SecurityWilmerHale
 
The CIA triad.pptx
The CIA triad.pptxThe CIA triad.pptx
The CIA triad.pptxGulnurAzat
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security StrategyAndrew Byers
 
Information security: importance of having defined policy & process
Information security: importance of having defined policy & processInformation security: importance of having defined policy & process
Information security: importance of having defined policy & processInformation Technology Society Nepal
 
Board and Cyber Security
Board and Cyber SecurityBoard and Cyber Security
Board and Cyber SecurityLeon Fouche
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewShankar Subramaniyan
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident ResponsePECB
 

Recomendados

Information security governance
Information security governanceInformation security governance
Information security governanceKoen Maris
 
Privacy and Data Security
Privacy and Data SecurityPrivacy and Data Security
Privacy and Data SecurityWilmerHale
 
The CIA triad.pptx
The CIA triad.pptxThe CIA triad.pptx
The CIA triad.pptxGulnurAzat
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security StrategyAndrew Byers
 
Information security: importance of having defined policy & process
Information security: importance of having defined policy & processInformation security: importance of having defined policy & process
Information security: importance of having defined policy & processInformation Technology Society Nepal
 
Board and Cyber Security
Board and Cyber SecurityBoard and Cyber Security
Board and Cyber SecurityLeon Fouche
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewShankar Subramaniyan
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident ResponsePECB
 
Cybersecurity PowerPoint Presentation Slides
Cybersecurity PowerPoint Presentation Slides Cybersecurity PowerPoint Presentation Slides
Cybersecurity PowerPoint Presentation Slides SlideTeam
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awarenessÃsħâr Ãâlâm
 
Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001Yerlin Sturdivant
 
Information security policy_2011
Information security policy_2011Information security policy_2011
Information security policy_2011codka
 
Information security in todays world
Information security in todays worldInformation security in todays world
Information security in todays worldSibghatullah Khattak
 
Introducción a la Seguridad de la Información
Introducción a la Seguridad de la Información Introducción a la Seguridad de la Información
Introducción a la Seguridad de la Información Jonathan López Torres
 
Information security
Information securityInformation security
Information securityavinashbalakrishnan2
 
Awareness Security Session 2023 v1.0.pptx.pdf
Awareness Security Session 2023 v1.0.pptx.pdfAwareness Security Session 2023 v1.0.pptx.pdf
Awareness Security Session 2023 v1.0.pptx.pdfAbdullahKanash
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information securityKATHEESKUMAR S
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Dam Frank
 
Introduction to Cybersecurity Fundamentals
Introduction to Cybersecurity FundamentalsIntroduction to Cybersecurity Fundamentals
Introduction to Cybersecurity FundamentalsToño Herrera
 
Network security - Defense in Depth
Network security - Defense in DepthNetwork security - Defense in Depth
Network security - Defense in DepthDilum Bandara
 
Information Security It's All About Compliance
Information Security It's All About ComplianceInformation Security It's All About Compliance
Information Security It's All About ComplianceDinesh O Bareja
 
Access Control Presentation
Access Control PresentationAccess Control Presentation
Access Control PresentationWajahat Rajab
 
27001 awareness Training
27001 awareness Training27001 awareness Training
27001 awareness TrainingDr Madhu Aman Sharma
 
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...PECB
 
ISO 27001 Benefits
ISO 27001 BenefitsISO 27001 Benefits
ISO 27001 BenefitsDejan Kosutic
 
What is cyber security
What is cyber securityWhat is cyber security
What is cyber securitySAHANAHK
 
Privacy and Data Protection
Privacy and Data ProtectionPrivacy and Data Protection
Privacy and Data ProtectionDirectorate of Information Security | Ditjen Aptika
 
Physical Security Assessments
Physical Security AssessmentsPhysical Security Assessments
Physical Security AssessmentsTom Eston
 
Importance Of A Security Policy
Importance Of A Security PolicyImportance Of A Security Policy
Importance Of A Security Policycharlesgarrett
 
Information Systems Policy
Information Systems PolicyInformation Systems Policy
Information Systems PolicyAli Sadhik Shaik
 

Más contenido relacionado

La actualidad más candente

Cybersecurity PowerPoint Presentation Slides
Cybersecurity PowerPoint Presentation Slides Cybersecurity PowerPoint Presentation Slides
Cybersecurity PowerPoint Presentation Slides SlideTeam
 
Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001Yerlin Sturdivant
 
Information security policy_2011
Information security policy_2011Information security policy_2011
Information security policy_2011codka
 
Information security in todays world
Information security in todays worldInformation security in todays world
Information security in todays worldSibghatullah Khattak
 
Introducción a la Seguridad de la Información
Introducción a la Seguridad de la Información Introducción a la Seguridad de la Información
Introducción a la Seguridad de la Información Jonathan López Torres
 
Awareness Security Session 2023 v1.0.pptx.pdf
Awareness Security Session 2023 v1.0.pptx.pdfAwareness Security Session 2023 v1.0.pptx.pdf
Awareness Security Session 2023 v1.0.pptx.pdfAbdullahKanash
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information securityKATHEESKUMAR S
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Dam Frank
 
Introduction to Cybersecurity Fundamentals
Introduction to Cybersecurity FundamentalsIntroduction to Cybersecurity Fundamentals
Introduction to Cybersecurity FundamentalsToño Herrera
 
Network security - Defense in Depth
Network security - Defense in DepthNetwork security - Defense in Depth
Network security - Defense in DepthDilum Bandara
 
Information Security It's All About Compliance
Information Security It's All About ComplianceInformation Security It's All About Compliance
Information Security It's All About ComplianceDinesh O Bareja
 
Access Control Presentation
Access Control PresentationAccess Control Presentation
Access Control PresentationWajahat Rajab
 
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...PECB
 
What is cyber security
What is cyber securityWhat is cyber security
What is cyber securitySAHANAHK
 
Physical Security Assessments
Physical Security AssessmentsPhysical Security Assessments
Physical Security AssessmentsTom Eston
 

La actualidad más candente (20)

Cybersecurity PowerPoint Presentation Slides
Cybersecurity PowerPoint Presentation Slides Cybersecurity PowerPoint Presentation Slides
Cybersecurity PowerPoint Presentation Slides
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awareness
 
Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001
 
Information security policy_2011
Information security policy_2011Information security policy_2011
Information security policy_2011
 
Information security in todays world
Information security in todays worldInformation security in todays world
Information security in todays world
 
Introducción a la Seguridad de la Información
Introducción a la Seguridad de la Información Introducción a la Seguridad de la Información
Introducción a la Seguridad de la Información
 
Information security
Information securityInformation security
Information security
 
Awareness Security Session 2023 v1.0.pptx.pdf
Awareness Security Session 2023 v1.0.pptx.pdfAwareness Security Session 2023 v1.0.pptx.pdf
Awareness Security Session 2023 v1.0.pptx.pdf
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3
 
Introduction to Cybersecurity Fundamentals
Introduction to Cybersecurity FundamentalsIntroduction to Cybersecurity Fundamentals
Introduction to Cybersecurity Fundamentals
 
Network security - Defense in Depth
Network security - Defense in DepthNetwork security - Defense in Depth
Network security - Defense in Depth
 
Information Security It's All About Compliance
Information Security It's All About ComplianceInformation Security It's All About Compliance
Information Security It's All About Compliance
 
Access Control Presentation
Access Control PresentationAccess Control Presentation
Access Control Presentation
 
27001 awareness Training
27001 awareness Training27001 awareness Training
27001 awareness Training
 
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
 
ISO 27001 Benefits
ISO 27001 BenefitsISO 27001 Benefits
ISO 27001 Benefits
 
What is cyber security
What is cyber securityWhat is cyber security
What is cyber security
 
Privacy and Data Protection
Privacy and Data ProtectionPrivacy and Data Protection
Privacy and Data Protection
 
Physical Security Assessments
Physical Security AssessmentsPhysical Security Assessments
Physical Security Assessments
 

Destacado

Importance Of A Security Policy
Importance Of A Security PolicyImportance Of A Security Policy
Importance Of A Security Policycharlesgarrett
 
Information Systems Policy
Information Systems PolicyInformation Systems Policy
Information Systems PolicyAli Sadhik Shaik
 
INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITYAhmed Moussa
 
Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standardsprimeteacher32
 
Introduction to Information Security
Introduction to Information SecurityIntroduction to Information Security
Introduction to Information SecurityDr. Loganathan R
 
Introduction To Information Security
Introduction To Information SecurityIntroduction To Information Security
Introduction To Information Securitybelsis
 
Information Security Lecture #1 ppt
Information Security Lecture #1 pptInformation Security Lecture #1 ppt
Information Security Lecture #1 pptvasanthimuniasamy
 
Roles and responsibilities information item may 2013
Roles and responsibilities information item may 2013Roles and responsibilities information item may 2013
Roles and responsibilities information item may 2013dvodicka
 
Tech Report: On the Effectiveness of Malware Protection on Android
Tech Report: On the Effectiveness of Malware Protection on AndroidTech Report: On the Effectiveness of Malware Protection on Android
Tech Report: On the Effectiveness of Malware Protection on AndroidFraunhofer AISEC
 
Alex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
Alex Hanway - Securing the Breach: Using a Holistic Data Protection FrameworkAlex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
Alex Hanway - Securing the Breach: Using a Holistic Data Protection Frameworkcentralohioissa
 
Network security and policies
Network security and policiesNetwork security and policies
Network security and policieswardjo
 
The Importance of Security within the Computer Environment
The Importance of Security within the Computer EnvironmentThe Importance of Security within the Computer Environment
The Importance of Security within the Computer EnvironmentAdetula Bunmi
 
Roles & Responsibilities on a Web Team
Roles & Responsibilities on a Web TeamRoles & Responsibilities on a Web Team
Roles & Responsibilities on a Web TeamShane Diffily
 
SECRET ART OF WAR TO CLOSE EVERY SALE
SECRET ART OF WAR TO CLOSE EVERY SALESECRET ART OF WAR TO CLOSE EVERY SALE
SECRET ART OF WAR TO CLOSE EVERY SALEAndy Ng
 
Bài 13. BẢO MẬT THÔNG TIN TRONG CÁC HỆ CSDL
Bài 13. BẢO MẬT THÔNG TIN TRONG CÁC HỆ CSDLBài 13. BẢO MẬT THÔNG TIN TRONG CÁC HỆ CSDL
Bài 13. BẢO MẬT THÔNG TIN TRONG CÁC HỆ CSDLNguyen Khanh
 
InformationSecurity
InformationSecurityInformationSecurity
InformationSecuritylearnt
 
Bai giang bài 13: Bảo mật thông tin
Bai giang bài 13: Bảo mật thông tinBai giang bài 13: Bảo mật thông tin
Bai giang bài 13: Bảo mật thông tinthaohien1376
 
Difference between business intelligence, business analytics, and business an...
Difference between business intelligence, business analytics, and business an...Difference between business intelligence, business analytics, and business an...
Difference between business intelligence, business analytics, and business an...Santosh Mishra
 

Destacado (18)

Importance Of A Security Policy
Importance Of A Security PolicyImportance Of A Security Policy
Importance Of A Security Policy
 
Information Systems Policy
Information Systems PolicyInformation Systems Policy
Information Systems Policy
 
INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITY
 
Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standards
 
Introduction to Information Security
Introduction to Information SecurityIntroduction to Information Security
Introduction to Information Security
 
Introduction To Information Security
Introduction To Information SecurityIntroduction To Information Security
Introduction To Information Security
 
Information Security Lecture #1 ppt
Information Security Lecture #1 pptInformation Security Lecture #1 ppt
Information Security Lecture #1 ppt
 
Roles and responsibilities information item may 2013
Roles and responsibilities information item may 2013Roles and responsibilities information item may 2013
Roles and responsibilities information item may 2013
 
Tech Report: On the Effectiveness of Malware Protection on Android
Tech Report: On the Effectiveness of Malware Protection on AndroidTech Report: On the Effectiveness of Malware Protection on Android
Tech Report: On the Effectiveness of Malware Protection on Android
 
Alex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
Alex Hanway - Securing the Breach: Using a Holistic Data Protection FrameworkAlex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
Alex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
 
Network security and policies
Network security and policiesNetwork security and policies
Network security and policies
 
The Importance of Security within the Computer Environment
The Importance of Security within the Computer EnvironmentThe Importance of Security within the Computer Environment
The Importance of Security within the Computer Environment
 
Roles & Responsibilities on a Web Team
Roles & Responsibilities on a Web TeamRoles & Responsibilities on a Web Team
Roles & Responsibilities on a Web Team
 
SECRET ART OF WAR TO CLOSE EVERY SALE
SECRET ART OF WAR TO CLOSE EVERY SALESECRET ART OF WAR TO CLOSE EVERY SALE
SECRET ART OF WAR TO CLOSE EVERY SALE
 
Bài 13. BẢO MẬT THÔNG TIN TRONG CÁC HỆ CSDL
Bài 13. BẢO MẬT THÔNG TIN TRONG CÁC HỆ CSDLBài 13. BẢO MẬT THÔNG TIN TRONG CÁC HỆ CSDL
Bài 13. BẢO MẬT THÔNG TIN TRONG CÁC HỆ CSDL
 
InformationSecurity
InformationSecurityInformationSecurity
InformationSecurity
 
Bai giang bài 13: Bảo mật thông tin
Bai giang bài 13: Bảo mật thông tinBai giang bài 13: Bảo mật thông tin
Bai giang bài 13: Bảo mật thông tin
 
Difference between business intelligence, business analytics, and business an...
Difference between business intelligence, business analytics, and business an...Difference between business intelligence, business analytics, and business an...
Difference between business intelligence, business analytics, and business an...
 

Similar a The Role of Information Security Policy

The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020Jessica Graf
 
ISSC361_Project_John_Intindolo
ISSC361_Project_John_IntindoloISSC361_Project_John_Intindolo
ISSC361_Project_John_IntindoloJohn Intindolo
 
An Empirical Study on Information Security
An Empirical Study on Information SecurityAn Empirical Study on Information Security
An Empirical Study on Information Securityijtsrd
 
Information Systems Security & Strategy
Information Systems Security & StrategyInformation Systems Security & Strategy
Information Systems Security & StrategyTony Hauxwell
 
Information Security Management System: Emerging Issues and Prospect
Information Security Management System: Emerging Issues and ProspectInformation Security Management System: Emerging Issues and Prospect
Information Security Management System: Emerging Issues and ProspectIOSR Journals
 
I-Week April 2004 - Claudia Warwar
I-Week April 2004 - Claudia WarwarI-Week April 2004 - Claudia Warwar
I-Week April 2004 - Claudia WarwarClaudia Warwar
 
An information security governance framework
An information security governance frameworkAn information security governance framework
An information security governance frameworkAnne ndolo
 
Fundamentals of-information-security
Fundamentals of-information-security Fundamentals of-information-security
Fundamentals of-information-security madunix
 
Week 1&2 intro_ v2-upload
Week 1&2 intro_ v2-uploadWeek 1&2 intro_ v2-upload
Week 1&2 intro_ v2-uploadVinoth Sn
 
Target Data Security Breach Case Study
Target Data Security Breach Case StudyTarget Data Security Breach Case Study
Target Data Security Breach Case StudyAngilina Jones
 
1Running head IDENTITY MANAGEMENT AND SECURITY AWARENESS TRAI.docx
1Running head IDENTITY MANAGEMENT AND SECURITY AWARENESS TRAI.docx1Running head IDENTITY MANAGEMENT AND SECURITY AWARENESS TRAI.docx
1Running head IDENTITY MANAGEMENT AND SECURITY AWARENESS TRAI.docxeugeniadean34240
 
NIST Privacy Engineering Working Group -- Risk Models
NIST Privacy Engineering Working Group -- Risk Models NIST Privacy Engineering Working Group -- Risk Models
NIST Privacy Engineering Working Group -- Risk ModelsDavid Sweigert
 
The Evolving Landscape on Information Security
The Evolving Landscape on Information SecurityThe Evolving Landscape on Information Security
The Evolving Landscape on Information SecuritySimoun Ung
 
Hiring Guide to the Information Security Profession
Hiring Guide to the Information Security ProfessionHiring Guide to the Information Security Profession
Hiring Guide to the Information Security Professionamiable_indian
 
News letter June 11
News letter June 11News letter June 11
News letter June 11captsbtyagi
 
Gp2 Public Policy Assign8 644 Sp10
Gp2 Public Policy Assign8 644 Sp10Gp2 Public Policy Assign8 644 Sp10
Gp2 Public Policy Assign8 644 Sp10Deepa Devadas
 
Running Head SECURITY AWARENESSSecurity Awareness .docx
Running Head SECURITY AWARENESSSecurity Awareness .docxRunning Head SECURITY AWARENESSSecurity Awareness .docx
Running Head SECURITY AWARENESSSecurity Awareness .docxtoltonkendal
 

Similar a The Role of Information Security Policy (20)

The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
 
ISSC361_Project_John_Intindolo
ISSC361_Project_John_IntindoloISSC361_Project_John_Intindolo
ISSC361_Project_John_Intindolo
 
An Empirical Study on Information Security
An Empirical Study on Information SecurityAn Empirical Study on Information Security
An Empirical Study on Information Security
 
Information Systems Security & Strategy
Information Systems Security & StrategyInformation Systems Security & Strategy
Information Systems Security & Strategy
 
csxnewsletter
csxnewslettercsxnewsletter
csxnewsletter
 
Information Security Management System: Emerging Issues and Prospect
Information Security Management System: Emerging Issues and ProspectInformation Security Management System: Emerging Issues and Prospect
Information Security Management System: Emerging Issues and Prospect
 
I-Week April 2004 - Claudia Warwar
I-Week April 2004 - Claudia WarwarI-Week April 2004 - Claudia Warwar
I-Week April 2004 - Claudia Warwar
 
An information security governance framework
An information security governance frameworkAn information security governance framework
An information security governance framework
 
Fundamentals of-information-security
Fundamentals of-information-security Fundamentals of-information-security
Fundamentals of-information-security
 
Week 1&2 intro_ v2-upload
Week 1&2 intro_ v2-uploadWeek 1&2 intro_ v2-upload
Week 1&2 intro_ v2-upload
 
internet security and cyber lawUnit1
internet security and cyber lawUnit1internet security and cyber lawUnit1
internet security and cyber lawUnit1
 
Target Data Security Breach Case Study
Target Data Security Breach Case StudyTarget Data Security Breach Case Study
Target Data Security Breach Case Study
 
1Running head IDENTITY MANAGEMENT AND SECURITY AWARENESS TRAI.docx
1Running head IDENTITY MANAGEMENT AND SECURITY AWARENESS TRAI.docx1Running head IDENTITY MANAGEMENT AND SECURITY AWARENESS TRAI.docx
1Running head IDENTITY MANAGEMENT AND SECURITY AWARENESS TRAI.docx
 
NIST Privacy Engineering Working Group -- Risk Models
NIST Privacy Engineering Working Group -- Risk Models NIST Privacy Engineering Working Group -- Risk Models
NIST Privacy Engineering Working Group -- Risk Models
 
The Evolving Landscape on Information Security
The Evolving Landscape on Information SecurityThe Evolving Landscape on Information Security
The Evolving Landscape on Information Security
 
Hiring Guide to the Information Security Profession
Hiring Guide to the Information Security ProfessionHiring Guide to the Information Security Profession
Hiring Guide to the Information Security Profession
 
News letter June 11
News letter June 11News letter June 11
News letter June 11
 
Sem 001 sem-001
Sem 001 sem-001Sem 001 sem-001
Sem 001 sem-001
 
Gp2 Public Policy Assign8 644 Sp10
Gp2 Public Policy Assign8 644 Sp10Gp2 Public Policy Assign8 644 Sp10
Gp2 Public Policy Assign8 644 Sp10
 
Running Head SECURITY AWARENESSSecurity Awareness .docx
Running Head SECURITY AWARENESSSecurity Awareness .docxRunning Head SECURITY AWARENESSSecurity Awareness .docx
Running Head SECURITY AWARENESSSecurity Awareness .docx
 

Último

Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024The Digital Insurer
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 

Último (20)

Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 

The Role of Information Security Policy

  • 1. THE ROLE OF INFORMATION SECURITY POLICY The Role of Information Security Policy Jarin Udom CMGT/400 November 22, 2013 Eric Clifford 1
  • 2. THE ROLE OF INFORMATION SECURITY POLICY 2 The Role of Information Security Policy According to Kevin Mitnick, one of the world’s most famous (or infamous) hackers, “companies could spend millions of dollars towards technological protections and that's money wasted if somebody could basically call somebody on the telephone and either convince them to do something on the computer which lowers the computers defenses or reveals the information that they're seeking” (PBS, n.d.). Technical defenses have become increasingly sophisticated, but the human element is still the biggest—and will likely continue to be the biggest—security vulnerability at any organization. Although not completely effective, arguably the best ways to mitigate this risk are policies, standards, and a concerted organizational effort to train and educate employees and others working for the organization. Policies and Standards What is the difference between information security policies and standards? Information security policies outline the ways an organization will protect information in the form of highlevel business rules and guidelines (PJ, 2009). Information security standards dictate more detailed requirements for how an organization will implement those policies (PJ, 2009). For example, an information security policy may require all sensitive emails be encrypted and digitally signed. The corresponding standard may specify that all sensitive email is to be encrypted and digitally signed via PGP, using a 2048-bit key size and the RSA algorithm. Policies In any organization, it’s important to start with a high level security policy before considering standards, guidelines, or procedures. A security policy addresses the overarching goals, concerns, and risks of the organization’s overall information security efforts. Information
  • 3. THE ROLE OF INFORMATION SECURITY POLICY 3 security policies are “made by management when laying out the organization’s position” (Conklin, White, Williams, Davis, Cothren, & Schou, 2011) on organizational security issues. According to Diver (2006), when developing a security policy it’s important to consider the company’s level of process maturity. She further elaborates that aiming too high at first, especially in large organizations, “isn’t likely to be successful for a number of reasons including lack of management buy-in, unprepared company culture and resources and other requirements not in place” (Diver, 2006). Since information security policies are generally created by management, it’s also important to assemble a team of subject matter experts to provide information and assist managers and executives during the process. Standards Most standards in an organization are developed based on the organization’s high-level security policy. However, according to Conklin et al. (2011), other standards are “externally driven. Regulations for banking and financial institutions, for example, may require certain security measures be taken by law.” Once a security policy is in place, engineers and subject matter experts can begin the task of determining the best standards for implementing the individual goals of the policy. For general information security, the National Institute of Standards and Technology’s (NIST) Computer Security Resource Center is an excellent place to start. NIST’s website contains a plethora of recommended cybersecurity standards and best practices. Similarly, the Open Web Application Security Project’s (OWASP) wiki is a community-maintained resource for web and other application security recommendations and vulnerabilities. Finally, the organization may wish to employ subject matter experts and consultants to develop standards based on industry-standard best practices and experience. Role of Employees
  • 4. THE ROLE OF INFORMATION SECURITY POLICY 4 As stated above, people are the weak link in any organizational information security plan. Most people realize that employees with trusted access privileges may abuse their access to compromise an organization’s information. However, as Kevin Mitnick illustrated, employees can also be unwittingly tricked into divulging sensitive information or information that can assist an intruder in compromising computer systems. Organizations must include human factors in their security policies, and they must take efforts to inform employees and others working for the organization about policies, standards, procedures and guidelines. It is absolutely essential that employees understand that information compromises can have serious consequences, not just for the organization but also for the employee themselves. Employees and others working for the organization must be ever vigilant against social engineering attempts, phishing, physical security, and other human-oriented intrusion attempts. For example, an intruder may attempt to gain access to a secure facility by waiting for an authorized employee to swipe their security badge and then following them through the door, or “piggybacking”, before it closes. Organizations can prevent this kind of intrusion by implementing clear policies that every person passing into a secure area must swipe their badge before entering. This kind of policy counteracts the normal human tendency to avoid inconveniencing others. Another example might be an intruder attempting to gain sensitive security information over the phone. Kevin Mitnick famously exploited the natural human tendency to be helpful by calling government agencies and posing as a fellow employee who was having technical problems, and he was able to convince employees to give him the names of computer systems and even execute commands on his behalf (PBS, n.d.). Employees should verify the identity of any unknown caller, even if they claim to be in distress or a high-level executive (another
  • 5. THE ROLE OF INFORMATION SECURITY POLICY 5 common tactic). However, an exception can be made for familiar voices, as studies have shown that people are quite good at recognizing voices—an accuracy rate of 92% when hearing a familiar voice for only 5.3 seconds and an accuracy rate of 79% when hearing a barely familiar voice for 15.3 seconds (Kreiman & Sidtis, 2011, p. 177). Conclusion As Kevin Mitnick said, “the human side of computer security is easily exploited and constantly overlooked” (PBS, n.d.). While the proliferation of botnets, worms, and easily available “script kiddy” tools has clearly made the role of technological information security measures more important than ever, the human element remains the weak point of any information security plan. In order to mitigate this risk, organizations must develop clear information security policies and then use them to develop standards to be implemented throughout the organization. In addition, they must train and educate employees about both the risks and importance of social engineering attempts, phishing, physical security, and other human-based intrusion attempts.
  • 6. THE ROLE OF INFORMATION SECURITY POLICY 6 References Conklin, A., White, G., Williams, D., Davis, R., Cothren, C., & Schou, C. (2011). Principles of Computer Security CompTIA Security+ and Beyond (Exam SY0-301). (3 ed.). New York, NY: McGraw Hill Professional. Diver, S. (2006). Information security policy - a development guide for large and small companies.SANS Institute Reading Room, Retrieved from http://www.sans.org/reading-room/whitepapers/policyissues/information-security-policydevelopment-guide-large-small-companies-1331 Kreiman, J., & Sidtis, D. (2011). Foundations of voice studies: An interdisciplinary approach to voice production and perception. (1st ed., p. 177). John Wiley & Sons. Retrieved from http://books.google.com/books?id=gwu48EvAXIsC PBS. (n.d.). Testimony of an ex-hacker. Retrieved from http://www.pbs.org/wgbh/pages/frontline/shows/hackers/whoare/testimony.html PJ. (2009, February 03). What are policies, standards, guidelines and procedures?. Retrieved from http://mindfulsecurity.com/2009/02/03/policies-standards-and-guidelines/