Chapter 4 Flashcards
What are standards?
more detailed statements of what must be done to comply with policy
Define the practice triangle.
Policies Standards Guidelines Procedures (Step by step instructions)
Types of policies?
Enterprise Information Security Policies NIST
Issue-specific security policies
System-specific security policies
What is the iso 27000 series of standards?
The ISO/IEC 27000 family of standards helps organizations keep information assets secure.
EISP?
Enterprise Information Security Policy.
Sets strategic direction, scope, and tone for all security efforts within the organization.
Drafted by the CIO of the organization.
Typically addresses compliance in two areas, ensure meeting requirements to establish program and responsibilities.
EISP Components?
Statement of purpose
Defines information security
Importance of info sec
ISSP?
Issue-Specific Security Policy
What does ISSP do?
Addresses specific areas of technology
Requires frequent updates
Contains statement on organization’s position on specific issue
List approaches of ISSP
Create a number of independent ISSP documents
Create a signle comprehensive ISSP document
Create a modular ISSP document
What are some of the components of ISSP?
Statement of Policy
Authorized Access and Usage of Equipment
Prohibited use of Equipment
What is SysSP?
Systems-Specific Policy
What does SysSP do?
It functions as standards and procedures used when configuring or maintaining systems.
What is policy management and how is it used?
Policies must be managed as they constantly change.
To remain viable, security policies must have:
Individual responsible for the policy
A schedule of reviews
Method for making recommendations for reviews.
Specific policy issuance and revision date.
Automated policy management.
Sunset clause - expiry date.
What is ISO 27000 series?
One of often discussed security models.
Purpose is to give recommendations for information and security management.
What is BIA?
Business Impact Analysis.
