A policy may have many standards associated. A standard should have only one policy associated. A standard may have many guidelines associated........
Information Security Policies and Standards
Information Security Policiesand StandardsAri MoesriamiInstitut Teknologi TelkomBandungmbarmawi@melsa.net.id
The challenges Define security policies and standards Measure actual security against policy Report violations to policy Correct violations to conform with policy Summarize policy compliance for the organization
The Purpose Provide a framework for the management of security across the enterprise
Definitions Policies High level statements that provide guidance to workers who must make present and future decision Standards Requirement statements that provide specific technical specifications Guidelines Optional but recommended specifications
Security Policy Access to network resource will be granted Passwords through a unique will be 8 user ID and characters password long Passwordsshould includeone non-alphaand not found in dictionary
Elements of Policies Set the tone of Management Establish roles and responsibility Define asset classifications Provide direction for decisions Establish the scope of authority Provide a basis for guidelines and procedures Establish accountability Describe appropriate use of assets Establish relationships to legal requirements
Policies should…… Clearly identify and define the information security goals and the goals of the institution/unit/company.
Policy Hierarchy Governance Policy Access User ID Control Policy Policy Access Password User ID Control Construction Naming Authentication Standard Standard Standard Strong Password Construction Guidelines