| |
| |
| |
| Starting the Policy Process | |
| |
| |
| |
| What Information Security Policies Are | |
| |
| |
| About Information Security Policies | |
| |
| |
| Why Policies Are Important | |
| |
| |
| When Policies Should Be Developed | |
| |
| |
| How Policies Should Be Developed | |
| |
| |
| Summary | |
| |
| |
| |
| Determining Your Policy Needs | |
| |
| |
| Identify What Is to Be Protected | |
| |
| |
| Identify From Whom It Is Being Protected | |
| |
| |
| Data Security Considerations | |
| |
| |
| Backups, Archival Storage, and Disposal of Data | |
| |
| |
| Intellectual Property Rights and Policies | |
| |
| |
| Incident Response and Forensics | |
| |
| |
| Summary | |
| |
| |
| |
| Information Security Responsibilities | |
| |
| |
| Management Responsibility | |
| |
| |
| Role of the Information Security Department | |
| |
| |
| Other Information Security Roles | |
| |
| |
| Understanding Security Management and Law Enforcement | |
| |
| |
| Information Security Awareness Training and Support | |
| |
| |
| Summary | |
| |
| |
| |
| Writing the Security Policies | |
| |
| |
| |
| Physical Security | |
| |
| |
| Computer Location and Facility Construction | |
| |
| |
| Facilities Access Controls | |
| |
| |
| Contingency Planning | |
| |
| |
| General Computer Systems Security | |
| |
| |
| Periodic System and Network Configuration Audits | |
| |
| |
| Staffing Considerations | |
| |
| |
| Summary | |
| |
| |
| |
| Authentication and Network Security | |
| |
| |
| Network Addressing and Architecture | |
| |
| |
| Network Access Control | |
| |
| |
| Login Security | |
| |
| |
| Passwords | |
| |
| |
| User Interface | |
| |
| |
| Access Controls | |
| |
| |
| Telecommuting and Remote Access | |
| |
| |
| Summary | |
| |
| |
| |
| Internet Security Policies | |
| |
| |
| Understanding the Door to the Internet | |
| |
| |
| Administrative Responsibilities | |
| |
| |
| User Responsibilities | |
| |
| |
| World Wide Web Policies | |
| |
| |
| Application Responsibilities | |
| |
| |
| VPNs, Extranets, Intranets, and Other Tunnels | |
| |
| |
| Modems and Other Backdoors | |
| |
| |
| Employing PKI and Other Controls | |
| |
| |
| Electronic Commerce | |
| |
| |
| Summary | |
| |
| |
| |
| Email Security Policies | |
| |
| |
| Rules for Using Email | |
| |
| |
| Administration of Email | |
| |
| |
| Use of Email for Confidential Communication | |
| |
| |
| Summary | |
| |
| |
| |
| Viruses, Worms, and Trojan Horses | |
| |
| |
| The Need for Protection | |
| |
| |
| Establishing the Type of Virus Protection | |
| |
| |
| Rules for Handling Third-Party Software | |
| |
| |
| User Involvement with Viruses | |
| |
| |
| Summary | |
| |
| |
| |
| Encryption | |
| |
| |
| Legal Issues | |
| |
| |
| Managing Encryption | |
| |
| |
| Handling Encryption and Encrypted Data | |
| |
| |
| Key Generation Considerations | |
| |
| |
| Key Management | |
| |
| |
| Summary | |
| |
| |
| |
| Software Development Policies | |
| |
| |
| Software Development Processes | |
| |
| |
| Testing and Documentation | |
| |
| |
| Revision Control and Configuration Management | |
| |
| |
| Third-Party Development | |
| |
| |
| Intellectual Property Issues | |
| |
| |
| Summary | |
| |
| |
| |
| Maintaining the Policies | |
| |
| |
| |
| Acceptable Use Policies | |
| |
| |
| Writing the AUP | |
| |
| |
| User Login Responsibilities | |
| |
| |
| Use of Systems and Network | |
| |
| |
| User Responsibilities | |
| |
| |
| Organization's Responsibilities and Disclosures | |
| |
| |
| Common-Sense Guidelines About Speech | |
| |
| |
| Summary | |
| |
| |
| |
| Compliance and Enforcement | |
| |
| |
| Testing and Effectiveness of the Policies | |
| |
| |
| Publishing and Notification Requirements of the Policies | |
| |
| |
| Monitoring, Controls, and Remedies | |
| |
| |
| Administrator's Responsibility | |
| |
| |
| Logging Considerations | |
| |
| |
| Reporting of Security Problems | |
| |
| |
| Considerations When Computer Crimes Are Committed | |
| |
| |
| Summary | |
| |
| |
| |
| The Policy Review Process | |
| |
| |
| Periodic Reviews of Policy Documents | |
| |
| |
| What the Policy Reviews Should Include | |
| |
| |
| The Review Committee | |
| |
| |
| Summary | |
| |
| |
| |
| Appendixes | |
| |
| |
| |
| Glossary | |
| |
| |
| |
| Resources | |
| |
| |
| Incident Response Teams | |
| |
| |
| Other Incident Response Information | |
| |
| |
| Virus Protection | |
| |
| |
| Vendor-Specific Security Information | |
| |
| |
| Security Information Resources | |
| |
| |
| Security Publications | |
| |
| |
| Industry Consortia and Associations | |
| |
| |
| Hacker and "Underground" Organizations | |
| |
| |
| Health Insurance Portability and Accountability Act | |
| |
| |
| Survivability | |
| |
| |
| Cryptography Policies and Regulations | |
| |
| |
| Security Policy References | |
| |
| |
| |
| Sample Policies | |
| |
| |
| Sample Acceptable Use Policy | |
| |
| |
| Sample Email Security Policy | |
| |
| |
| Sample Administrative Policies | |
| |
| |
| Index | |