Upon completion of this chapter you should be able to Understand management s responsibilities and role in the development, maintenance, and enforcement of information security policy, standards, practices, procedures, and guidelines Understand the differences between the organization s general information security policy and the requirements and objectives of the various issue-specific and system-specific policies. Know what an information security blueprint is and what its major components are. Understand how an organization institutionalizes its policies, standards, and practices using education, training, and awareness programs. Become familiar with what viable information security architecture is, what it includes, and how it is used. Explain what contingency planning is and how incident response planning, disaster recovery planning, and business continuity plans are related to contingency planning.
The creation of an information security program begins with the creation and or review of the organization s information security policies, standards, and practices.
Then, the selection or creation of information security architecture and the development and use of a detailed information security blueprint will create the plan for future success.
This blueprint for the organization s information security efforts can be realized only if it operates in conjunction with the organization s information security policy.
Without policy, blueprints, and planning, the organization will be unable to meet the information security needs of the various communities of interest.
The organizations should undertake at least some planning strategic planning to manage the allocation of resources, and contingency planning to prepare for the uncertainties of the business environment.
Information Security Policy, Standards, and Practices
Management from all communities of interest must consider policies as the basis for all information security efforts like planning, design and deployment.