| |
| |
| |
Starting the Policy Process | |
| |
| |
| |
What Information Security Policies Are | |
| |
| |
About Information Security Policies | |
| |
| |
Why Policies Are Important | |
| |
| |
When Policies Should Be Developed | |
| |
| |
How Policies Should Be Developed | |
| |
| |
Summary | |
| |
| |
| |
Determining Your Policy Needs | |
| |
| |
Identify What Is to Be Protected | |
| |
| |
Identify From Whom It Is Being Protected | |
| |
| |
Data Security Considerations | |
| |
| |
Backups, Archival Storage, and Disposal of Data | |
| |
| |
Intellectual Property Rights and Policies | |
| |
| |
Incident Response and Forensics | |
| |
| |
Summary | |
| |
| |
| |
Information Security Responsibilities | |
| |
| |
Management Responsibility | |
| |
| |
Role of the Information Security Department | |
| |
| |
Other Information Security Roles | |
| |
| |
Understanding Security Management and Law Enforcement | |
| |
| |
Information Security Awareness Training and Support | |
| |
| |
Summary | |
| |
| |
| |
Writing the Security Policies | |
| |
| |
| |
Physical Security | |
| |
| |
Computer Location and Facility Construction | |
| |
| |
Facilities Access Controls | |
| |
| |
Contingency Planning | |
| |
| |
General Computer Systems Security | |
| |
| |
Periodic System and Network Configuration Audits | |
| |
| |
Staffing Considerations | |
| |
| |
Summary | |
| |
| |
| |
Authentication and Network Security | |
| |
| |
Network Addressing and Architecture | |
| |
| |
Network Access Control | |
| |
| |
Login Security | |
| |
| |
Passwords | |
| |
| |
User Interface | |
| |
| |
Access Controls | |
| |
| |
Telecommuting and Remote Access | |
| |
| |
Summary | |
| |
| |
| |
Internet Security Policies | |
| |
| |
Understanding the Door to the Internet | |
| |
| |
Administrative Responsibilities | |
| |
| |
User Responsibilities | |
| |
| |
World Wide Web Policies | |
| |
| |
Application Responsibilities | |
| |
| |
VPNs, Extranets, Intranets, and Other Tunnels | |
| |
| |
Modems and Other Backdoors | |
| |
| |
Employing PKI and Other Controls | |
| |
| |
Electronic Commerce | |
| |
| |
Summary | |
| |
| |
| |
Email Security Policies | |
| |
| |
Rules for Using Email | |
| |
| |
Administration of Email | |
| |
| |
Use of Email for Confidential Communication | |
| |
| |
Summary | |
| |
| |
| |
Viruses, Worms, and Trojan Horses | |
| |
| |
The Need for Protection | |
| |
| |
Establishing the Type of Virus Protection | |
| |
| |
Rules for Handling Third-Party Software | |
| |
| |
User Involvement with Viruses | |
| |
| |
Summary | |
| |
| |
| |
Encryption | |
| |
| |
Legal Issues | |
| |
| |
Managing Encryption | |
| |
| |
Handling Encryption and Encrypted Data | |
| |
| |
Key Generation Considerations | |
| |
| |
Key Management | |
| |
| |
Summary | |
| |
| |
| |
Software Development Policies | |
| |
| |
Software Development Processes | |
| |
| |
Testing and Documentation | |
| |
| |
Revision Control and Configuration Management | |
| |
| |
Third-Party Development | |
| |
| |
Intellectual Property Issues | |
| |
| |
Summary | |
| |
| |
| |
Maintaining the Policies | |
| |
| |
| |
Acceptable Use Policies | |
| |
| |
Writing the AUP | |
| |
| |
User Login Responsibilities | |
| |
| |
Use of Systems and Network | |
| |
| |
User Responsibilities | |
| |
| |
Organization's Responsibilities and Disclosures | |
| |
| |
Common-Sense Guidelines About Speech | |
| |
| |
Summary | |
| |
| |
| |
Compliance and Enforcement | |
| |
| |
Testing and Effectiveness of the Policies | |
| |
| |
Publishing and Notification Requirements of the Policies | |
| |
| |
Monitoring, Controls, and Remedies | |
| |
| |
Administrator's Responsibility | |
| |
| |
Logging Considerations | |
| |
| |
Reporting of Security Problems | |
| |
| |
Considerations When Computer Crimes Are Committed | |
| |
| |
Summary | |
| |
| |
| |
The Policy Review Process | |
| |
| |
Periodic Reviews of Policy Documents | |
| |
| |
What the Policy Reviews Should Include | |
| |
| |
The Review Committee | |
| |
| |
Summary | |
| |
| |
| |
Appendixes | |
| |
| |
| |
Glossary | |
| |
| |
| |
Resources | |
| |
| |
Incident Response Teams | |
| |
| |
Other Incident Response Information | |
| |
| |
Virus Protection | |
| |
| |
Vendor-Specific Security Information | |
| |
| |
Security Information Resources | |
| |
| |
Security Publications | |
| |
| |
Industry Consortia and Associations | |
| |
| |
Hacker and "Underground" Organizations | |
| |
| |
Health Insurance Portability and Accountability Act | |
| |
| |
Survivability | |
| |
| |
Cryptography Policies and Regulations | |
| |
| |
Security Policy References | |
| |
| |
| |
Sample Policies | |
| |
| |
Sample Acceptable Use Policy | |
| |
| |
Sample Email Security Policy | |
| |
| |
Sample Administrative Policies | |
| |
| |
Index | |