SlideShare a Scribd company logo

The Role of Information Security Policy

Download as DOCX, PDF
Robot Mode
Robot Mode

A paper I wrote for an information security class at UOP.

TechnologyNews & Politics
1 of 6
THE ROLE OF INFORMATION SECURITY POLICY The Role of Information Security Policy Jarin Udom CMGT/400 November 22, 2013 Eric Clifford 1
THE ROLE OF INFORMATION SECURITY POLICY 2 The Role of Information Security Policy According to Kevin Mitnick, one of the world’s most famous (or infamous) hackers, “companies could spend millions of dollars towards technological protections and that's money wasted if somebody could basically call somebody on the telephone and either convince them to do something on the computer which lowers the computers defenses or reveals the information that they're seeking” (PBS, n.d.). Technical defenses have become increasingly sophisticated, but the human element is still the biggest—and will likely continue to be the biggest—security vulnerability at any organization. Although not completely effective, arguably the best ways to mitigate this risk are policies, standards, and a concerted organizational effort to train and educate employees and others working for the organization. Policies and Standards What is the difference between information security policies and standards? Information security policies outline the ways an organization will protect information in the form of highlevel business rules and guidelines (PJ, 2009). Information security standards dictate more detailed requirements for how an organization will implement those policies (PJ, 2009). For example, an information security policy may require all sensitive emails be encrypted and digitally signed. The corresponding standard may specify that all sensitive email is to be encrypted and digitally signed via PGP, using a 2048-bit key size and the RSA algorithm. Policies In any organization, it’s important to start with a high level security policy before considering standards, guidelines, or procedures. A security policy addresses the overarching goals, concerns, and risks of the organization’s overall information security efforts. Information
THE ROLE OF INFORMATION SECURITY POLICY 3 security policies are “made by management when laying out the organization’s position” (Conklin, White, Williams, Davis, Cothren, & Schou, 2011) on organizational security issues. According to Diver (2006), when developing a security policy it’s important to consider the company’s level of process maturity. She further elaborates that aiming too high at first, especially in large organizations, “isn’t likely to be successful for a number of reasons including lack of management buy-in, unprepared company culture and resources and other requirements not in place” (Diver, 2006). Since information security policies are generally created by management, it’s also important to assemble a team of subject matter experts to provide information and assist managers and executives during the process. Standards Most standards in an organization are developed based on the organization’s high-level security policy. However, according to Conklin et al. (2011), other standards are “externally driven. Regulations for banking and financial institutions, for example, may require certain security measures be taken by law.” Once a security policy is in place, engineers and subject matter experts can begin the task of determining the best standards for implementing the individual goals of the policy. For general information security, the National Institute of Standards and Technology’s (NIST) Computer Security Resource Center is an excellent place to start. NIST’s website contains a plethora of recommended cybersecurity standards and best practices. Similarly, the Open Web Application Security Project’s (OWASP) wiki is a community-maintained resource for web and other application security recommendations and vulnerabilities. Finally, the organization may wish to employ subject matter experts and consultants to develop standards based on industry-standard best practices and experience. Role of Employees
THE ROLE OF INFORMATION SECURITY POLICY 4 As stated above, people are the weak link in any organizational information security plan. Most people realize that employees with trusted access privileges may abuse their access to compromise an organization’s information. However, as Kevin Mitnick illustrated, employees can also be unwittingly tricked into divulging sensitive information or information that can assist an intruder in compromising computer systems. Organizations must include human factors in their security policies, and they must take efforts to inform employees and others working for the organization about policies, standards, procedures and guidelines. It is absolutely essential that employees understand that information compromises can have serious consequences, not just for the organization but also for the employee themselves. Employees and others working for the organization must be ever vigilant against social engineering attempts, phishing, physical security, and other human-oriented intrusion attempts. For example, an intruder may attempt to gain access to a secure facility by waiting for an authorized employee to swipe their security badge and then following them through the door, or “piggybacking”, before it closes. Organizations can prevent this kind of intrusion by implementing clear policies that every person passing into a secure area must swipe their badge before entering. This kind of policy counteracts the normal human tendency to avoid inconveniencing others. Another example might be an intruder attempting to gain sensitive security information over the phone. Kevin Mitnick famously exploited the natural human tendency to be helpful by calling government agencies and posing as a fellow employee who was having technical problems, and he was able to convince employees to give him the names of computer systems and even execute commands on his behalf (PBS, n.d.). Employees should verify the identity of any unknown caller, even if they claim to be in distress or a high-level executive (another
THE ROLE OF INFORMATION SECURITY POLICY 5 common tactic). However, an exception can be made for familiar voices, as studies have shown that people are quite good at recognizing voices—an accuracy rate of 92% when hearing a familiar voice for only 5.3 seconds and an accuracy rate of 79% when hearing a barely familiar voice for 15.3 seconds (Kreiman & Sidtis, 2011, p. 177). Conclusion As Kevin Mitnick said, “the human side of computer security is easily exploited and constantly overlooked” (PBS, n.d.). While the proliferation of botnets, worms, and easily available “script kiddy” tools has clearly made the role of technological information security measures more important than ever, the human element remains the weak point of any information security plan. In order to mitigate this risk, organizations must develop clear information security policies and then use them to develop standards to be implemented throughout the organization. In addition, they must train and educate employees about both the risks and importance of social engineering attempts, phishing, physical security, and other human-based intrusion attempts.
THE ROLE OF INFORMATION SECURITY POLICY 6 References Conklin, A., White, G., Williams, D., Davis, R., Cothren, C., & Schou, C. (2011). Principles of Computer Security CompTIA Security+ and Beyond (Exam SY0-301). (3 ed.). New York, NY: McGraw Hill Professional. Diver, S. (2006). Information security policy - a development guide for large and small companies.SANS Institute Reading Room, Retrieved from http://www.sans.org/reading-room/whitepapers/policyissues/information-security-policydevelopment-guide-large-small-companies-1331 Kreiman, J., & Sidtis, D. (2011). Foundations of voice studies: An interdisciplinary approach to voice production and perception. (1st ed., p. 177). John Wiley & Sons. Retrieved from http://books.google.com/books?id=gwu48EvAXIsC PBS. (n.d.). Testimony of an ex-hacker. Retrieved from http://www.pbs.org/wgbh/pages/frontline/shows/hackers/whoare/testimony.html PJ. (2009, February 03). What are policies, standards, guidelines and procedures?. Retrieved from http://mindfulsecurity.com/2009/02/03/policies-standards-and-guidelines/

Recommended

Importance Of A Security Policy
Importance Of A Security PolicyImportance Of A Security Policy
Importance Of A Security Policycharlesgarrett
 
Information security: importance of having defined policy & process
Information security: importance of having defined policy & processInformation security: importance of having defined policy & process
Information security: importance of having defined policy & processInformation Technology Society Nepal
 
Security policy
Security policySecurity policy
Security policyDhani Ahmad
 
Data protection and privacy
Data protection and privacyData protection and privacy
Data protection and privacyhimanshu jain
 
Understanding cyber resilience
Understanding cyber resilienceUnderstanding cyber resilience
Understanding cyber resilienceChristophe Foulon, CISSP
 
Information security
Information securityInformation security
Information securityavinashbalakrishnan2
 
Cyber Security Awareness
Cyber Security AwarenessCyber Security Awareness
Cyber Security AwarenessRamiro Cid
 
Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standardsprimeteacher32
 

Recommended

Importance Of A Security Policy
Importance Of A Security PolicyImportance Of A Security Policy
Importance Of A Security Policycharlesgarrett
 
Information security: importance of having defined policy & process
Information security: importance of having defined policy & processInformation security: importance of having defined policy & process
Information security: importance of having defined policy & processInformation Technology Society Nepal
 
Security policy
Security policySecurity policy
Security policyDhani Ahmad
 
Data protection and privacy
Data protection and privacyData protection and privacy
Data protection and privacyhimanshu jain
 
Understanding cyber resilience
Understanding cyber resilienceUnderstanding cyber resilience
Understanding cyber resilienceChristophe Foulon, CISSP
 
Information security
Information securityInformation security
Information securityavinashbalakrishnan2
 
Cyber Security Awareness
Cyber Security AwarenessCyber Security Awareness
Cyber Security AwarenessRamiro Cid
 
Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standardsprimeteacher32
 
Cyber Security Presentation By(Aashish Tanania)
Cyber Security Presentation By(Aashish Tanania)Cyber Security Presentation By(Aashish Tanania)
Cyber Security Presentation By(Aashish Tanania)AashishTanania
 
Mitigating Risk from Cyber Security Attacks
Mitigating Risk from Cyber Security AttacksMitigating Risk from Cyber Security Attacks
Mitigating Risk from Cyber Security AttacksTripwire
 
Pranavi verma-cyber-security-ppt
Pranavi verma-cyber-security-pptPranavi verma-cyber-security-ppt
Pranavi verma-cyber-security-pptPranaviVerma
 
Cyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionalsCyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionalsKrishna Srikanth Manda
 
Role of Forensic Triage In Cyber Security Trends 2021
Role of Forensic Triage In Cyber Security Trends 2021Role of Forensic Triage In Cyber Security Trends 2021
Role of Forensic Triage In Cyber Security Trends 2021Amrit Chhetri
 
Manning Information Security Strategy
Manning Information Security StrategyManning Information Security Strategy
Manning Information Security StrategyDonald Tabone
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
CCSA Treinamento_CheckPoint.pptx
CCSA Treinamento_CheckPoint.pptxCCSA Treinamento_CheckPoint.pptx
CCSA Treinamento_CheckPoint.pptxEBERTE
 
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001PECB
 
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...PECB
 
Introduction to Cybersecurity Fundamentals
Introduction to Cybersecurity FundamentalsIntroduction to Cybersecurity Fundamentals
Introduction to Cybersecurity FundamentalsToño Herrera
 
Chapter 7 Presentation
Chapter 7 PresentationChapter 7 Presentation
Chapter 7 PresentationAmy McMullin
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Edureka!
 
Risk Assessment and Threat Modeling
Risk Assessment and Threat ModelingRisk Assessment and Threat Modeling
Risk Assessment and Threat Modelingsedukull
 
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...Edureka!
 
Cyber Security Presentation
Cyber Security PresentationCyber Security Presentation
Cyber Security PresentationHaniyaMaha
 
Information Security vs IT - Key Roles & Responsibilities
Information Security vs IT - Key Roles & ResponsibilitiesInformation Security vs IT - Key Roles & Responsibilities
Information Security vs IT - Key Roles & ResponsibilitiesKroll
 
CyberSecurity
CyberSecurityCyberSecurity
CyberSecuritydivyanshigarg4
 
ISO 27001:2022 Introduction
ISO 27001:2022 IntroductionISO 27001:2022 Introduction
ISO 27001:2022 IntroductionAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Information security management system
Information security management systemInformation security management system
Information security management systemArani Srinivasan
 
Information security policy_2011
Information security policy_2011Information security policy_2011
Information security policy_2011codka
 
Information Systems Policy
Information Systems PolicyInformation Systems Policy
Information Systems PolicyAli Sadhik Shaik
 

More Related Content

What's hot

Cyber Security Presentation By(Aashish Tanania)
Cyber Security Presentation By(Aashish Tanania)Cyber Security Presentation By(Aashish Tanania)
Cyber Security Presentation By(Aashish Tanania)AashishTanania
 
Mitigating Risk from Cyber Security Attacks
Mitigating Risk from Cyber Security AttacksMitigating Risk from Cyber Security Attacks
Mitigating Risk from Cyber Security AttacksTripwire
 
Pranavi verma-cyber-security-ppt
Pranavi verma-cyber-security-pptPranavi verma-cyber-security-ppt
Pranavi verma-cyber-security-pptPranaviVerma
 
Cyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionalsCyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionalsKrishna Srikanth Manda
 
Role of Forensic Triage In Cyber Security Trends 2021
Role of Forensic Triage In Cyber Security Trends 2021Role of Forensic Triage In Cyber Security Trends 2021
Role of Forensic Triage In Cyber Security Trends 2021Amrit Chhetri
 
Manning Information Security Strategy
Manning Information Security StrategyManning Information Security Strategy
Manning Information Security StrategyDonald Tabone
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
CCSA Treinamento_CheckPoint.pptx
CCSA Treinamento_CheckPoint.pptxCCSA Treinamento_CheckPoint.pptx
CCSA Treinamento_CheckPoint.pptxEBERTE
 
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001PECB
 
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...PECB
 
Introduction to Cybersecurity Fundamentals
Introduction to Cybersecurity FundamentalsIntroduction to Cybersecurity Fundamentals
Introduction to Cybersecurity FundamentalsToño Herrera
 
Chapter 7 Presentation
Chapter 7 PresentationChapter 7 Presentation
Chapter 7 PresentationAmy McMullin
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Edureka!
 
Risk Assessment and Threat Modeling
Risk Assessment and Threat ModelingRisk Assessment and Threat Modeling
Risk Assessment and Threat Modelingsedukull
 
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...Edureka!
 
Cyber Security Presentation
Cyber Security PresentationCyber Security Presentation
Cyber Security PresentationHaniyaMaha
 
Information Security vs IT - Key Roles & Responsibilities
Information Security vs IT - Key Roles & ResponsibilitiesInformation Security vs IT - Key Roles & Responsibilities
Information Security vs IT - Key Roles & ResponsibilitiesKroll
 
Information security management system
Information security management systemInformation security management system
Information security management systemArani Srinivasan
 

What's hot (20)

Cyber Security Presentation By(Aashish Tanania)
Cyber Security Presentation By(Aashish Tanania)Cyber Security Presentation By(Aashish Tanania)
Cyber Security Presentation By(Aashish Tanania)
 
Mitigating Risk from Cyber Security Attacks
Mitigating Risk from Cyber Security AttacksMitigating Risk from Cyber Security Attacks
Mitigating Risk from Cyber Security Attacks
 
Pranavi verma-cyber-security-ppt
Pranavi verma-cyber-security-pptPranavi verma-cyber-security-ppt
Pranavi verma-cyber-security-ppt
 
Cyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionalsCyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionals
 
Role of Forensic Triage In Cyber Security Trends 2021
Role of Forensic Triage In Cyber Security Trends 2021Role of Forensic Triage In Cyber Security Trends 2021
Role of Forensic Triage In Cyber Security Trends 2021
 
Manning Information Security Strategy
Manning Information Security StrategyManning Information Security Strategy
Manning Information Security Strategy
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
 
CCSA Treinamento_CheckPoint.pptx
CCSA Treinamento_CheckPoint.pptxCCSA Treinamento_CheckPoint.pptx
CCSA Treinamento_CheckPoint.pptx
 
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
 
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
 
Introduction to Cybersecurity Fundamentals
Introduction to Cybersecurity FundamentalsIntroduction to Cybersecurity Fundamentals
Introduction to Cybersecurity Fundamentals
 
Chapter 7 Presentation
Chapter 7 PresentationChapter 7 Presentation
Chapter 7 Presentation
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...
 
Risk Assessment and Threat Modeling
Risk Assessment and Threat ModelingRisk Assessment and Threat Modeling
Risk Assessment and Threat Modeling
 
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
 
Cyber Security Presentation
Cyber Security PresentationCyber Security Presentation
Cyber Security Presentation
 
Information Security vs IT - Key Roles & Responsibilities
Information Security vs IT - Key Roles & ResponsibilitiesInformation Security vs IT - Key Roles & Responsibilities
Information Security vs IT - Key Roles & Responsibilities
 
CyberSecurity
CyberSecurityCyberSecurity
CyberSecurity
 
ISO 27001:2022 Introduction
ISO 27001:2022 IntroductionISO 27001:2022 Introduction
ISO 27001:2022 Introduction
 
Information security management system
Information security management systemInformation security management system
Information security management system
 

Viewers also liked

Information security policy_2011
Information security policy_2011Information security policy_2011
Information security policy_2011codka
 
Information Systems Policy
Information Systems PolicyInformation Systems Policy
Information Systems PolicyAli Sadhik Shaik
 
INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITYAhmed Moussa
 
Introduction to Information Security
Introduction to Information SecurityIntroduction to Information Security
Introduction to Information SecurityDr. Loganathan R
 
Introduction To Information Security
Introduction To Information SecurityIntroduction To Information Security
Introduction To Information Securitybelsis
 
Information Security Lecture #1 ppt
Information Security Lecture #1 pptInformation Security Lecture #1 ppt
Information Security Lecture #1 pptvasanthimuniasamy
 
Roles and responsibilities information item may 2013
Roles and responsibilities information item may 2013Roles and responsibilities information item may 2013
Roles and responsibilities information item may 2013dvodicka
 
Tech Report: On the Effectiveness of Malware Protection on Android
Tech Report: On the Effectiveness of Malware Protection on AndroidTech Report: On the Effectiveness of Malware Protection on Android
Tech Report: On the Effectiveness of Malware Protection on AndroidFraunhofer AISEC
 
Alex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
Alex Hanway - Securing the Breach: Using a Holistic Data Protection FrameworkAlex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
Alex Hanway - Securing the Breach: Using a Holistic Data Protection Frameworkcentralohioissa
 
Network security and policies
Network security and policiesNetwork security and policies
Network security and policieswardjo
 
The Importance of Security within the Computer Environment
The Importance of Security within the Computer EnvironmentThe Importance of Security within the Computer Environment
The Importance of Security within the Computer EnvironmentAdetula Bunmi
 
Roles & Responsibilities on a Web Team
Roles & Responsibilities on a Web TeamRoles & Responsibilities on a Web Team
Roles & Responsibilities on a Web TeamShane Diffily
 
SECRET ART OF WAR TO CLOSE EVERY SALE
SECRET ART OF WAR TO CLOSE EVERY SALESECRET ART OF WAR TO CLOSE EVERY SALE
SECRET ART OF WAR TO CLOSE EVERY SALEAndy Ng
 
Bài 13. BẢO MẬT THÔNG TIN TRONG CÁC HỆ CSDL
Bài 13. BẢO MẬT THÔNG TIN TRONG CÁC HỆ CSDLBài 13. BẢO MẬT THÔNG TIN TRONG CÁC HỆ CSDL
Bài 13. BẢO MẬT THÔNG TIN TRONG CÁC HỆ CSDLNguyen Khanh
 
InformationSecurity
InformationSecurityInformationSecurity
InformationSecuritylearnt
 
Bai giang bài 13: Bảo mật thông tin
Bai giang bài 13: Bảo mật thông tinBai giang bài 13: Bảo mật thông tin
Bai giang bài 13: Bảo mật thông tinthaohien1376
 
Difference between business intelligence, business analytics, and business an...
Difference between business intelligence, business analytics, and business an...Difference between business intelligence, business analytics, and business an...
Difference between business intelligence, business analytics, and business an...Santosh Mishra
 

Viewers also liked (17)

Information security policy_2011
Information security policy_2011Information security policy_2011
Information security policy_2011
 
Information Systems Policy
Information Systems PolicyInformation Systems Policy
Information Systems Policy
 
INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITY
 
Introduction to Information Security
Introduction to Information SecurityIntroduction to Information Security
Introduction to Information Security
 
Introduction To Information Security
Introduction To Information SecurityIntroduction To Information Security
Introduction To Information Security
 
Information Security Lecture #1 ppt
Information Security Lecture #1 pptInformation Security Lecture #1 ppt
Information Security Lecture #1 ppt
 
Roles and responsibilities information item may 2013
Roles and responsibilities information item may 2013Roles and responsibilities information item may 2013
Roles and responsibilities information item may 2013
 
Tech Report: On the Effectiveness of Malware Protection on Android
Tech Report: On the Effectiveness of Malware Protection on AndroidTech Report: On the Effectiveness of Malware Protection on Android
Tech Report: On the Effectiveness of Malware Protection on Android
 
Alex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
Alex Hanway - Securing the Breach: Using a Holistic Data Protection FrameworkAlex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
Alex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
 
Network security and policies
Network security and policiesNetwork security and policies
Network security and policies
 
The Importance of Security within the Computer Environment
The Importance of Security within the Computer EnvironmentThe Importance of Security within the Computer Environment
The Importance of Security within the Computer Environment
 
Roles & Responsibilities on a Web Team
Roles & Responsibilities on a Web TeamRoles & Responsibilities on a Web Team
Roles & Responsibilities on a Web Team
 
SECRET ART OF WAR TO CLOSE EVERY SALE
SECRET ART OF WAR TO CLOSE EVERY SALESECRET ART OF WAR TO CLOSE EVERY SALE
SECRET ART OF WAR TO CLOSE EVERY SALE
 
Bài 13. BẢO MẬT THÔNG TIN TRONG CÁC HỆ CSDL
Bài 13. BẢO MẬT THÔNG TIN TRONG CÁC HỆ CSDLBài 13. BẢO MẬT THÔNG TIN TRONG CÁC HỆ CSDL
Bài 13. BẢO MẬT THÔNG TIN TRONG CÁC HỆ CSDL
 
InformationSecurity
InformationSecurityInformationSecurity
InformationSecurity
 
Bai giang bài 13: Bảo mật thông tin
Bai giang bài 13: Bảo mật thông tinBai giang bài 13: Bảo mật thông tin
Bai giang bài 13: Bảo mật thông tin
 
Difference between business intelligence, business analytics, and business an...
Difference between business intelligence, business analytics, and business an...Difference between business intelligence, business analytics, and business an...
Difference between business intelligence, business analytics, and business an...
 

Similar to The Role of Information Security Policy

The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020Jessica Graf
 
ISSC361_Project_John_Intindolo
ISSC361_Project_John_IntindoloISSC361_Project_John_Intindolo
ISSC361_Project_John_IntindoloJohn Intindolo
 
An Empirical Study on Information Security
An Empirical Study on Information SecurityAn Empirical Study on Information Security
An Empirical Study on Information Securityijtsrd
 
Information Systems Security & Strategy
Information Systems Security & StrategyInformation Systems Security & Strategy
Information Systems Security & StrategyTony Hauxwell
 
Information Security Management System: Emerging Issues and Prospect
Information Security Management System: Emerging Issues and ProspectInformation Security Management System: Emerging Issues and Prospect
Information Security Management System: Emerging Issues and ProspectIOSR Journals
 
I-Week April 2004 - Claudia Warwar
I-Week April 2004 - Claudia WarwarI-Week April 2004 - Claudia Warwar
I-Week April 2004 - Claudia WarwarClaudia Warwar
 
An information security governance framework
An information security governance frameworkAn information security governance framework
An information security governance frameworkAnne ndolo
 
Fundamentals of-information-security
Fundamentals of-information-security Fundamentals of-information-security
Fundamentals of-information-security madunix
 
Week 1&2 intro_ v2-upload
Week 1&2 intro_ v2-uploadWeek 1&2 intro_ v2-upload
Week 1&2 intro_ v2-uploadVinoth Sn
 
Target Data Security Breach Case Study
Target Data Security Breach Case StudyTarget Data Security Breach Case Study
Target Data Security Breach Case StudyAngilina Jones
 
1Running head IDENTITY MANAGEMENT AND SECURITY AWARENESS TRAI.docx
1Running head IDENTITY MANAGEMENT AND SECURITY AWARENESS TRAI.docx1Running head IDENTITY MANAGEMENT AND SECURITY AWARENESS TRAI.docx
1Running head IDENTITY MANAGEMENT AND SECURITY AWARENESS TRAI.docxeugeniadean34240
 
NIST Privacy Engineering Working Group -- Risk Models
NIST Privacy Engineering Working Group -- Risk Models NIST Privacy Engineering Working Group -- Risk Models
NIST Privacy Engineering Working Group -- Risk ModelsDavid Sweigert
 
The Evolving Landscape on Information Security
The Evolving Landscape on Information SecurityThe Evolving Landscape on Information Security
The Evolving Landscape on Information SecuritySimoun Ung
 
Hiring Guide to the Information Security Profession
Hiring Guide to the Information Security ProfessionHiring Guide to the Information Security Profession
Hiring Guide to the Information Security Professionamiable_indian
 
News letter June 11
News letter June 11News letter June 11
News letter June 11captsbtyagi
 
Gp2 Public Policy Assign8 644 Sp10
Gp2 Public Policy Assign8 644 Sp10Gp2 Public Policy Assign8 644 Sp10
Gp2 Public Policy Assign8 644 Sp10Deepa Devadas
 
Running Head SECURITY AWARENESSSecurity Awareness .docx
Running Head SECURITY AWARENESSSecurity Awareness .docxRunning Head SECURITY AWARENESSSecurity Awareness .docx
Running Head SECURITY AWARENESSSecurity Awareness .docxtoltonkendal
 

Similar to The Role of Information Security Policy (20)

The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
 
ISSC361_Project_John_Intindolo
ISSC361_Project_John_IntindoloISSC361_Project_John_Intindolo
ISSC361_Project_John_Intindolo
 
An Empirical Study on Information Security
An Empirical Study on Information SecurityAn Empirical Study on Information Security
An Empirical Study on Information Security
 
Information Systems Security & Strategy
Information Systems Security & StrategyInformation Systems Security & Strategy
Information Systems Security & Strategy
 
csxnewsletter
csxnewslettercsxnewsletter
csxnewsletter
 
Information Security Management System: Emerging Issues and Prospect
Information Security Management System: Emerging Issues and ProspectInformation Security Management System: Emerging Issues and Prospect
Information Security Management System: Emerging Issues and Prospect
 
I-Week April 2004 - Claudia Warwar
I-Week April 2004 - Claudia WarwarI-Week April 2004 - Claudia Warwar
I-Week April 2004 - Claudia Warwar
 
An information security governance framework
An information security governance frameworkAn information security governance framework
An information security governance framework
 
Fundamentals of-information-security
Fundamentals of-information-security Fundamentals of-information-security
Fundamentals of-information-security
 
Week 1&2 intro_ v2-upload
Week 1&2 intro_ v2-uploadWeek 1&2 intro_ v2-upload
Week 1&2 intro_ v2-upload
 
internet security and cyber lawUnit1
internet security and cyber lawUnit1internet security and cyber lawUnit1
internet security and cyber lawUnit1
 
Target Data Security Breach Case Study
Target Data Security Breach Case StudyTarget Data Security Breach Case Study
Target Data Security Breach Case Study
 
1Running head IDENTITY MANAGEMENT AND SECURITY AWARENESS TRAI.docx
1Running head IDENTITY MANAGEMENT AND SECURITY AWARENESS TRAI.docx1Running head IDENTITY MANAGEMENT AND SECURITY AWARENESS TRAI.docx
1Running head IDENTITY MANAGEMENT AND SECURITY AWARENESS TRAI.docx
 
NIST Privacy Engineering Working Group -- Risk Models
NIST Privacy Engineering Working Group -- Risk Models NIST Privacy Engineering Working Group -- Risk Models
NIST Privacy Engineering Working Group -- Risk Models
 
The Evolving Landscape on Information Security
The Evolving Landscape on Information SecurityThe Evolving Landscape on Information Security
The Evolving Landscape on Information Security
 
Hiring Guide to the Information Security Profession
Hiring Guide to the Information Security ProfessionHiring Guide to the Information Security Profession
Hiring Guide to the Information Security Profession
 
News letter June 11
News letter June 11News letter June 11
News letter June 11
 
Sem 001 sem-001
Sem 001 sem-001Sem 001 sem-001
Sem 001 sem-001
 
Gp2 Public Policy Assign8 644 Sp10
Gp2 Public Policy Assign8 644 Sp10Gp2 Public Policy Assign8 644 Sp10
Gp2 Public Policy Assign8 644 Sp10
 
Running Head SECURITY AWARENESSSecurity Awareness .docx
Running Head SECURITY AWARENESSSecurity Awareness .docxRunning Head SECURITY AWARENESSSecurity Awareness .docx
Running Head SECURITY AWARENESSSecurity Awareness .docx
 

Recently uploaded

Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...Elena Simperl
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlPeter Udo Diehl
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...Product School
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...Product School
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...Sri Ambati
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupCatarinaPereira64715
 
UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2DianaGray10
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
 
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀DianaGray10
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
 
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxDavid Michel
 
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor TurskyiFwdays
 

Recently uploaded (20)

Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
 
UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
 
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi
 

The Role of Information Security Policy

  • 1. THE ROLE OF INFORMATION SECURITY POLICY The Role of Information Security Policy Jarin Udom CMGT/400 November 22, 2013 Eric Clifford 1
  • 2. THE ROLE OF INFORMATION SECURITY POLICY 2 The Role of Information Security Policy According to Kevin Mitnick, one of the world’s most famous (or infamous) hackers, “companies could spend millions of dollars towards technological protections and that's money wasted if somebody could basically call somebody on the telephone and either convince them to do something on the computer which lowers the computers defenses or reveals the information that they're seeking” (PBS, n.d.). Technical defenses have become increasingly sophisticated, but the human element is still the biggest—and will likely continue to be the biggest—security vulnerability at any organization. Although not completely effective, arguably the best ways to mitigate this risk are policies, standards, and a concerted organizational effort to train and educate employees and others working for the organization. Policies and Standards What is the difference between information security policies and standards? Information security policies outline the ways an organization will protect information in the form of highlevel business rules and guidelines (PJ, 2009). Information security standards dictate more detailed requirements for how an organization will implement those policies (PJ, 2009). For example, an information security policy may require all sensitive emails be encrypted and digitally signed. The corresponding standard may specify that all sensitive email is to be encrypted and digitally signed via PGP, using a 2048-bit key size and the RSA algorithm. Policies In any organization, it’s important to start with a high level security policy before considering standards, guidelines, or procedures. A security policy addresses the overarching goals, concerns, and risks of the organization’s overall information security efforts. Information
  • 3. THE ROLE OF INFORMATION SECURITY POLICY 3 security policies are “made by management when laying out the organization’s position” (Conklin, White, Williams, Davis, Cothren, & Schou, 2011) on organizational security issues. According to Diver (2006), when developing a security policy it’s important to consider the company’s level of process maturity. She further elaborates that aiming too high at first, especially in large organizations, “isn’t likely to be successful for a number of reasons including lack of management buy-in, unprepared company culture and resources and other requirements not in place” (Diver, 2006). Since information security policies are generally created by management, it’s also important to assemble a team of subject matter experts to provide information and assist managers and executives during the process. Standards Most standards in an organization are developed based on the organization’s high-level security policy. However, according to Conklin et al. (2011), other standards are “externally driven. Regulations for banking and financial institutions, for example, may require certain security measures be taken by law.” Once a security policy is in place, engineers and subject matter experts can begin the task of determining the best standards for implementing the individual goals of the policy. For general information security, the National Institute of Standards and Technology’s (NIST) Computer Security Resource Center is an excellent place to start. NIST’s website contains a plethora of recommended cybersecurity standards and best practices. Similarly, the Open Web Application Security Project’s (OWASP) wiki is a community-maintained resource for web and other application security recommendations and vulnerabilities. Finally, the organization may wish to employ subject matter experts and consultants to develop standards based on industry-standard best practices and experience. Role of Employees
  • 4. THE ROLE OF INFORMATION SECURITY POLICY 4 As stated above, people are the weak link in any organizational information security plan. Most people realize that employees with trusted access privileges may abuse their access to compromise an organization’s information. However, as Kevin Mitnick illustrated, employees can also be unwittingly tricked into divulging sensitive information or information that can assist an intruder in compromising computer systems. Organizations must include human factors in their security policies, and they must take efforts to inform employees and others working for the organization about policies, standards, procedures and guidelines. It is absolutely essential that employees understand that information compromises can have serious consequences, not just for the organization but also for the employee themselves. Employees and others working for the organization must be ever vigilant against social engineering attempts, phishing, physical security, and other human-oriented intrusion attempts. For example, an intruder may attempt to gain access to a secure facility by waiting for an authorized employee to swipe their security badge and then following them through the door, or “piggybacking”, before it closes. Organizations can prevent this kind of intrusion by implementing clear policies that every person passing into a secure area must swipe their badge before entering. This kind of policy counteracts the normal human tendency to avoid inconveniencing others. Another example might be an intruder attempting to gain sensitive security information over the phone. Kevin Mitnick famously exploited the natural human tendency to be helpful by calling government agencies and posing as a fellow employee who was having technical problems, and he was able to convince employees to give him the names of computer systems and even execute commands on his behalf (PBS, n.d.). Employees should verify the identity of any unknown caller, even if they claim to be in distress or a high-level executive (another
  • 5. THE ROLE OF INFORMATION SECURITY POLICY 5 common tactic). However, an exception can be made for familiar voices, as studies have shown that people are quite good at recognizing voices—an accuracy rate of 92% when hearing a familiar voice for only 5.3 seconds and an accuracy rate of 79% when hearing a barely familiar voice for 15.3 seconds (Kreiman & Sidtis, 2011, p. 177). Conclusion As Kevin Mitnick said, “the human side of computer security is easily exploited and constantly overlooked” (PBS, n.d.). While the proliferation of botnets, worms, and easily available “script kiddy” tools has clearly made the role of technological information security measures more important than ever, the human element remains the weak point of any information security plan. In order to mitigate this risk, organizations must develop clear information security policies and then use them to develop standards to be implemented throughout the organization. In addition, they must train and educate employees about both the risks and importance of social engineering attempts, phishing, physical security, and other human-based intrusion attempts.
  • 6. THE ROLE OF INFORMATION SECURITY POLICY 6 References Conklin, A., White, G., Williams, D., Davis, R., Cothren, C., & Schou, C. (2011). Principles of Computer Security CompTIA Security+ and Beyond (Exam SY0-301). (3 ed.). New York, NY: McGraw Hill Professional. Diver, S. (2006). Information security policy - a development guide for large and small companies.SANS Institute Reading Room, Retrieved from http://www.sans.org/reading-room/whitepapers/policyissues/information-security-policydevelopment-guide-large-small-companies-1331 Kreiman, J., & Sidtis, D. (2011). Foundations of voice studies: An interdisciplinary approach to voice production and perception. (1st ed., p. 177). John Wiley & Sons. Retrieved from http://books.google.com/books?id=gwu48EvAXIsC PBS. (n.d.). Testimony of an ex-hacker. Retrieved from http://www.pbs.org/wgbh/pages/frontline/shows/hackers/whoare/testimony.html PJ. (2009, February 03). What are policies, standards, guidelines and procedures?. Retrieved from http://mindfulsecurity.com/2009/02/03/policies-standards-and-guidelines/