CHAPTER 4: INFORMATION SECURITY POLICY by Hafisha Amila
Enterprise Information Security Policy (EISP)
Essential foundation of an
effective information security program
guides the development,
implementation, and management requirements of the
InfoSec program
should not contradict the organizational
mission statement
Issue-Specific Security Policy (ISSP)
fair and
responsible use policies
organization’s ISSPs should
Address specific technology-based systems
Require frequent updates
Contain a statement on the organization’s position on an issue
provides detailed, targeted guidance to instruct all
members of the organization in the use of a resource
System-Specific Security Policies (SysSPs)
Applies to any technology that affects the
confidentiality, integrity, or availability of information
methods of implementing
•Access control lists
•Configuration rules
Access Control Lists
•Read
•Write
•Execute
•Delete
Configuration Rules
Combination SysSPs
Policy
essential foundation of an effective
information security program
Bull’s-eye model layers
Policies
Network
System
Applications
Guidelines for Effective Policy
The policy is designed and written
A senior manager or executive at the appropriate level and
the organization’s legal counsel review and formally
approves the document
Management processes are established to perpetuate the
policy within the organization