Residency Project 4 – Information Security Policy
Information security policies are written instructions provided by management that inform employees and others in the workplace about proper behavior regarding the use of information and information assets.
Policy in business is a statement of managerial intent designed to guide and regulate employee behavior in the organization; in IT, a computer configuration specification used to standardize system and user behavior.
A quality information security program begins and ends with policy. Information security policies are designed to provide structure in the workplace and explain the will of the organization’s management in controlling the behavior of its employees with regard to the appropriate and secure use of its information and information resources. Policy is designed to create a productive and effective work environment, free from unnecessary distractions and inappropriate actions. In general, a policy is simply a manager’s or other governing body’s statement of intent, as such, a policy (document) actually contains multiple policies (statements). In InfoSec, we typically use the document version of the term policy when discussing the subject, whereas in IT we use policy to specify computer system configuration.
In a 6-slide PowerPoint Presentation, address the following:
(a) List and describe the three types of InfoSec policies indicated in NIST SP 800-14.
(b) What is the purpose of the EISP?
(c) What is the purpose of the ISSP?
(d) What is the purpose of the SysSP?
(e) List and describe the four elements that should be present in the EISP.
(f) List and describe the three functions that the ISSP serves in the organization.
Be prepared to present your PowerPoint presentation (6 slides maximum) in no less than 15 minutes, but no more than 20 minutes.
