Computer Security: Principles and Practice, 1/e


Security Policy: Topics to Cover



Yüklə 15,34 Kb.
səhifə2/6
tarix19.12.2023
ölçüsü15,34 Kb.
#186744
1   2   3   4   5   6
ch14(1)

Security Policy: Topics to Cover

  • needs to address:
    • scope and purpose including relation of objectives to business, legal, regulatory requirements
    • IT security requirements
    • assignment of responsibilities
    • risk management approach
    • security awareness and training
    • general personnel issues and any legal sanctions
    • integration of security into systems development
    • information classification scheme
    • contingency and business continuity planning
    • incident detection and handling processes
    • how when policy reviewed, and change control to it

Management Support

  • IT security policy must be supported by senior management
  • need IT security officer
    • to provide consistent overall supervision
    • manage process
    • handle incidents
  • large organizations needs IT security officers on major projects/teams
    • manage process within their areas

Security Risk Assessment

  • critical component of process
    • else may have vulnerabilities or waste money
  • ideally examine every asset vs risk
    • not feasible in practice
  • choose one of possible alternatives based on organization’s resources and risk profile
    • baseline
    • informal
    • formal
    • combined

Baseline Approach

  • use “industry best practice”
    • easy, cheap, can be replicated
    • but gives no special consideration to org
    • may give too much or too little security
  • implement safeguards against most common threats
  • baseline recommendations and checklist documents available from various bodies
  • alone only suitable for small organizations

Informal Approach

  • conduct informal, pragmatic risk analysis on organization’s IT systems
  • exploits knowledge and expertise of analyst
  • fairly quick and cheap
  • does address some org specific issues
  • some risks may be incorrectly assessed
  • skewed by analysts views, varies over time
  • suitable for small to medium sized orgs

Yüklə 15,34 Kb.

Dostları ilə paylaş:
1   2   3   4   5   6




Verilənlər bazası müəlliflik hüququ ilə müdafiə olunur ©azkurs.org 2024
rəhbərliyinə müraciət

gir | qeydiyyatdan keç
    Ana səhifə


yükləyin