| |
| |
Acknowledgments | |
| |
| |
Introduction | |
| |
| |
| |
Overview: Information Protection Fundamentals | |
| |
| |
| |
Elements of Information Protection | |
| |
| |
| |
More Than Just Computer Security | |
| |
| |
| |
Roles and Responsibilities | |
| |
| |
| |
Common Threats | |
| |
| |
| |
Policies and Procedures | |
| |
| |
| |
Risk Management | |
| |
| |
| |
Typical Information Protection Program | |
| |
| |
| |
Summary | |
| |
| |
| |
Writing Mechanics and the Message | |
| |
| |
| |
Attention Spans | |
| |
| |
| |
Key Concepts | |
| |
| |
| |
Topic Sentence and Thesis Statement | |
| |
| |
| |
The Message | |
| |
| |
| |
Writing Don't's | |
| |
| |
| |
Summary | |
| |
| |
| |
Policy Development | |
| |
| |
| |
Policy Definitions | |
| |
| |
| |
Frequently Asked Questions | |
| |
| |
| |
Policies Are Not Enough: A Preliminary Look at Standards, Guidelines, and Procedures | |
| |
| |
| |
Policy, Standards, Guidelines, and Procedures: Definitions and Examples | |
| |
| |
| |
Policy Key Elements | |
| |
| |
| |
Policy Format and Basic Policy Components | |
| |
| |
| |
Policy Content Considerations | |
| |
| |
| |
Program Policy Examples | |
| |
| |
| |
Topic-Specific Policy Examples | |
| |
| |
| |
Additional Hints | |
| |
| |
| |
Topic-Specific Policy Subjects to Consider | |
| |
| |
| |
An Approach for Success | |
| |
| |
| |
Additional Examples | |
| |
| |
| |
Summary | |
| |
| |
| |
Mission Statement | |
| |
| |
| |
Background on Your Position | |
| |
| |
| |
Business Goals versus Security Goals | |
| |
| |
| |
Computer Security Objectives | |
| |
| |
| |
Mission Statement Format | |
| |
| |
| |
Allocation of Information Security Responsibilities (ISO 17799-4.1.3) | |
| |
| |
| |
Mission Statement Examples | |
| |
| |
| |
Support for the Mission Statement | |
| |
| |
| |
Key Roles in Organizations | |
| |
| |
| |
Business Objectives | |
| |
| |
| |
Review | |
| |
| |
| |
Standards | |
| |
| |
| |
Where Does a Standard Go? | |
| |
| |
| |
What Is a Standard? | |
| |
| |
| |
International Standards | |
| |
| |
| |
Summary | |
| |
| |
| |
Writing Procedures | |
| |
| |
| |
Definitions | |
| |
| |
| |
Writing Commandments | |
| |
| |
| |
Key Elements in Procedure Writing | |
| |
| |
| |
Procedure Checklist | |
| |
| |
| |
Getting Started | |
| |
| |
| |
Procedure Styles | |
| |
| |
| |
Creating a Procedure | |
| |
| |
| |
Summary | |
| |
| |
| |
Information Classification | |
| |
| |
| |
Introduction | |
| |
| |
| |
Why Classify Information | |
| |
| |
| |
What Is Information Classification? | |
| |
| |
| |
Establish a Team | |
| |
| |
| |
Developing the Policy | |
| |
| |
| |
Resist the Urge to Add Categories | |
| |
| |
| |
What Constitutes Confidential Information | |
| |
| |
| |
Classification Examples | |
| |
| |
| |
Declassification or Reclassification of Information | |
| |
| |
| |
Information Classification Methodology | |
| |
| |
| |
Authorization for Access | |
| |
| |
| |
Summary | |
| |
| |
| |
Security Awareness Program | |
| |
| |
| |
Key Goals of an Information Security Program | |
| |
| |
| |
Key Elements of a Security Program | |
| |
| |
| |
Security Awareness Program Goals | |
| |
| |
| |
Identify Current Training Needs | |
| |
| |
| |
Security Awareness Program Development | |
| |
| |
| |
Methods Used to Convey the Awareness Message | |
| |
| |
| |
Presentation Key Elements | |
| |
| |
| |
Typical Presentation Format | |
| |
| |
| |
When to Do Awareness | |
| |
| |
| |
The Information Security Message | |
| |
| |
| |
Information Security Self-Assessment | |
| |
| |
| |
Conclusion | |
| |
| |
| |
Why Manage This Process as a Project? | |
| |
| |
| |
First Things First--Identify the Sponsor | |
| |
| |
| |
Defining the Scope of Work | |
| |
| |
| |
Time Management | |
| |
| |
| |
Cost Management | |
| |
| |
| |
Planning for Quality | |
| |
| |
| |
Managing Human Resources | |
| |
| |
| |
Creating a Communications Plan | |
| |
| |
| |
Summary | |
| |
| |
| |
Information Technology: Code of Practice for Information Security Management | |
| |
| |
| |
Scope | |
| |
| |
| |
Terms and Definitions | |
| |
| |
| |
Information Security Policy | |
| |
| |
| |
Organization Security | |
| |
| |
| |
Asset Classification and Control | |
| |
| |
| |
Personnel Security | |
| |
| |
| |
Physical and Environmental Security | |
| |
| |
| |
Communications and Operations Management | |
| |
| |
| |
Access Control Policy | |
| |
| |
| |
Systems Development and Maintenance | |
| |
| |
| |
Business Continuity Planning | |
| |
| |
| |
Compliance | |
| |
| |
| |
Review | |
| |
| |
Appendices | |
| |
| |
| |
Policy Baseline Checklist | |
| |
| |
Policy Baseline | |
| |
| |
| |
Sample Corporate Policies | |
| |
| |
Conflict of Interest | |
| |
| |
Employee Standards of Conduct | |
| |
| |
External Corporate Communications | |
| |
| |
Information Protection | |
| |
| |
General Security | |
| |
| |
| |
List of Acronyms | |
| |
| |
| |
Sample Security Policies | |
| |
| |
Network Security Policy | |
| |
| |
Business Continuity Planning | |
| |
| |
Dial-In Access | |
| |
| |
Access Control | |
| |
| |
Communications Security Policy | |
| |
| |
Software Development Policy | |
| |
| |
System and Network Security Policy | |
| |
| |
Electronic Communication Policy | |
| |
| |
Sign-On Banner | |
| |
| |
Standards of Conduct for Electronic Communications | |
| |
| |
E-Mail Access Policy | |
| |
| |
Internet E-Mail | |
| |
| |
Software Usage | |
| |
| |
| |
Job Descriptions | |
| |
| |
Chief Information Officer (CIO) | |
| |
| |
Information Security Manager | |
| |
| |
Security Administrator | |
| |
| |
Firewall Administrator, Information Security | |
| |
| |
| |
Security Assessment | |
| |
| |
| |
Security Policy | |
| |
| |
| |
Organizational Suitability | |
| |
| |
| |
Physical Security | |
| |
| |
| |
Business Impact Analysis, Continuity Planning Processes | |
| |
| |
| |
Technical Safeguards | |
| |
| |
| |
Telecommunications Security | |
| |
| |
| |
References | |
| |
| |
About the Author | |
| |
| |
Index | |