Information Security Policies and Procedures: A Practitioner's Reference

✍ Scribed by Thomas R. Peltier

Publisher: Auerbach Publications
Year: 1998
Tongue: English
Leaves: 249
Category: Library

No coin nor oath required. For personal study only.

✦ Synopsis

It explains how why and how to integrate security policies and procedures across all tiers of software engineering organization. I had limited understanding f and this book helped me to get deep in to details and understand at an organization level.
I recommend this for all engineers and managers in sofware organization.

✦ Table of Contents

Contents......Page 6
2 LEGAL REQUIREMENTS......Page 11
2.3 Federal Guidelines for Sentencing for Criminal Convictions......Page 12
2.4 The Economic Espionage Act of 1996......Page 13
3.1 The Need for Controls......Page 14
3.2 The Changing Environment......Page 15
3.3 Good Business Practices......Page 16
3.4 Where to Begin?......Page 17
4 SUMMARY......Page 18
2 FIRST THINGS FIRST: IDENTIFY THE SPONSOR......Page 20
3 DEFINING THE SCOPE OF WORK......Page 22
4 TIME MANAGEMENT......Page 24
6 PLANNING FOR QUALITY......Page 30
8 CREATING A COMMUNICATIONS PLAN......Page 31
8.1 Sample Communications Plan During Development of P & P......Page 32
9 SUMMARY......Page 33
2 OBJECTIVES OF POLICIES, STANDARDS, AND PROCEDURES......Page 35
4 PREPARATION ACTIVITIES......Page 37
6 FOCUS GROUP......Page 38
8 DEVELOPMENT RESPONSIBILITIES......Page 39
10 KEY FACTORS IN ESTABLISHING THE DEVELOPMENT COST......Page 40
10.3 Write the Initial Draft and Prepare Illustrations......Page 41
11 REFERENCE WORKS......Page 42
12 MILESTONES AND TIMELINES......Page 43
14 DEVELOPMENT CHECKLIST......Page 44
15 SUMMARY......Page 45
2 WHY IMPLEMENT AN INFORMATION SECURITY POLICY?......Page 47
4 WHAT IS A POLICY?......Page 48
6.1 Guidelines......Page 49
6.2 Procedures......Page 50
7 POLICY KEY ELEMENTS......Page 52
8.1 Program Policy......Page 53
8.2 Topic- Specific Policy......Page 54
8.3 Application- Specific Policy......Page 55
9.1 Example No. 1: A Utility Company......Page 56
9.2 Example No. 2: Medical Service Organization......Page 57
Employee Responsibilities......Page 59
Basic Policies......Page 60
9.5 Example No. 5: Insurance Company......Page 61
10 ADDITIONAL HINTS......Page 62
11 PITFALLS TO AVOID......Page 63
12 SUMMARY......Page 64
3 WHY CLASSIFY INFORMATION?......Page 66
5 ESTABLISH A TEAM......Page 68
6 DEVELOPING THE POLICY......Page 69
8 WHAT CONSTITUTES CONFIDENTIAL INFORMATION......Page 70
9.1 Example No. 1......Page 72
Confidential (Sensitive, Personal, Privileged)......Page 73
Public (Unclassified)......Page 74
Confidential......Page 75
Public......Page 76
Owners are responsible to:......Page 77
10 DECLASSIFICATION OR RECLASSIFICATION OF INFORMATION......Page 78
11.1 Printed Information......Page 79
11.2 Electronically Stored (Computer- Based) Information......Page 80
12 INFORMATION CLASSIFICATION METHODOLOGY......Page 81
13.2 Custodians......Page 84
14 SUMMARY......Page 85
2 DEFINITION......Page 86
5 EMPLOYEE PRIVACY ISSUES......Page 87
6.1 The Privacy Rights of Employees......Page 88
7 DO A RISK ANALYSIS PRIOR TO WRITING......Page 89
7.6 The Rights of Third Parties to Get Access to Company Files......Page 90
9 E- MAIL POLICY DEVELOPMENT......Page 91
9.2 Setting the Scope......Page 92
10 SEVEN PRINCIPLES FOR E- MAIL SECURITY......Page 93
11 POLICY DEVELOPMENT POINTS......Page 94
12.1 Policy No. 1: Sample Electronic Data Systems Policy......Page 95
12.2 Policy No. 2: Subject: Electronic- Mail (e- mail)......Page 96
12.3 Policy No. 3: Company E- Mail Policy......Page 97
12.4 Standards of Conduct for Electronic Communications......Page 98
13 SUMMARY......Page 99
We are committed to communication.......Page 100
Standards of Conduct......Page 101
Unacceptable Conduct......Page 102
I. Guidelines......Page 104
III. Common Conflict of Interest Situations......Page 105
I. General......Page 106
III. External Communication......Page 107
Provisions......Page 108
Standards......Page 109
9 GENERAL SECURITY POLICY......Page 110
Policy......Page 111
Responsibilities......Page 112
Write to the Audience: Procedures are created and implemented with......Page 114
Find Subject Experts: The first step in any procedure development pro-cess......Page 115
Use Illustrations to Support the Topic: “A picture is worth a thousand......Page 116
5 PROCEDURE CHECKLIST......Page 117
6.1 Narrative......Page 118
6.3 Playscript......Page 119
7 SUMMARY......Page 120
3.1 Title Page......Page 122
4 BODY OF THE DOCUMENT......Page 123
6 POST BODY DOCUMENTS......Page 125
8 SECTION TO BE CONSIDERED......Page 126
8.1 Access Control......Page 128
8.2 Authorization......Page 129
8.3 Identification and Authentication......Page 130
8.5 Auditability......Page 131
8.7 Encryption......Page 132
8.8 Business Continuity Planning......Page 133
8.9 Risk Analysis and Management......Page 134
8.10 Information Classification......Page 135
9 SUMMARY......Page 136
2 ESTABLISHING REVIEW PANELS......Page 138
3 WHO SHOULD PARTICIPATE......Page 139
6 SUMMARY......Page 141
2.1 Senior Management......Page 143
3 MANAGEMENT PRESENTATION POINTS......Page 145
4 WHY CONTROLS ARE NEEDED......Page 146
6 ELEMENTS OF AN EFFECTIVE PROGRAM......Page 147
8 NEED FOR INTERNAL CONTROLS......Page 148
9.1 Uncontrolled or Inadequately Controlled Access......Page 149
9.2 Vague or Inadequate Responsibilities......Page 150
9.3 Inadequate Training of Personnel......Page 151
9.4 Employee Exposure to Unnecessary Temptation......Page 153
9.6 Passwords: Failing to Meet the Challenges of the 21st Century......Page 155
9.7 Exposure of Sensitive Information in the Trash......Page 156
10 WE ARE OUR OWN WORST ENEMIES......Page 157
11.4 Monitor Compliance......Page 158
12 SECURITY AS PART OF THE ENTERPRISE INFRASTRUCTURE......Page 159
14 SUMMARY......Page 160
(Reference Chapter 7)......Page 163
3.3 Corporate Policies — Standards of Conduct......Page 164
3.7 Federal Antitrust Laws......Page 165
4 WHAT INFORMATION SHOULD BE PROTECTED?......Page 166
2 INFORMATION AVAILABILITY (BUSINESS CONTINUITY)......Page 167
owner must consider such key elements as recovery......Page 168
3.1 Separation of Duties......Page 169
owner is responsible to maximize the value of information by sharing it......Page 170
User access to information does not imply or confer au-thority......Page 171
Use information, group or department access may be......Page 172
2 OWNER......Page 173
users (unless specifically and explicitly limited).......Page 175
1.1 Confidential......Page 176
Use information is not labeled as such.......Page 178
2 CLASSIFICATION PROCESS......Page 179
Use, and Internal Use may eventually become Public.......Page 180
fidential until (date).” Unless specifically identified other-wise,......Page 181
2 INFORMATION LABELING......Page 182
4 INFORMATION STORAGE......Page 183
Confidential information must be destroyed beyond abil-ity......Page 184
2 ACCESS AUTHORIZATION......Page 185
Use.......Page 186
4 BACKUP AND RECOVERY......Page 187
5 AWARENESS......Page 188
2 RIGHT TO REVIEW......Page 189
4 TRAINING......Page 190
6 PROPRIETARY SOFTWARE — CONTROLS AND SECURITY......Page 191
8 COMPUTER VIRUS SECURITY......Page 192
9.1 Phone/ Voice- Mail......Page 193
9.2 Standards of Conduct for Electronic Communication......Page 194
9.4 Fax Machines......Page 195
9.5 Interoffice Mail......Page 196
9.7 Records Management......Page 197
3.1 Corporate Information Security Manager......Page 198
4.2 Information Security Coordinators......Page 199
2.1 Designing Your Organization’s Program......Page 201
Baseline Program Recommendation......Page 203
3.1 Determining Initial Program Scope and Obtaining Approval......Page 204
Baseline Program Recommendation......Page 205
3.2 Assessing the Information Environment......Page 206
Baseline Program Recommendation......Page 208
3.3 Developing the Program Elements......Page 209
Baseline Program Recommendation......Page 211
Baseline Program Recommendation......Page 212
Baseline Program Recommendation......Page 214
Baseline Program Recommendation......Page 216
Baseline Program Recommendation......Page 217
Performing a Business Impact Analysis......Page 218
Writing the Business Continuity Plan......Page 219
Baseline Program Recommendation......Page 220
Baseline Program Recommendation......Page 221
4.1 Program Implementation Plan......Page 222
Baseline Program Recommendation......Page 223
5.2 Maintaining Knowledge of the Information Environment......Page 224
Baseline Program Recommendation......Page 225
Baseline Program Recommendation......Page 226
Baseline Program Recommendation......Page 227
Baseline Program Recommendation......Page 228
Baseline Program Recommendation......Page 229
1 INFORMATION HANDLING PROCEDURES MATRIX......Page 231
2 GLOSSARY......Page 234
3 INFORMATION IDENTIFICATION WORKSHEET......Page 236
4 INFORMATION RISK ASSESSMENT WORKSHEET......Page 237
5 SUMMARY AND CONTROLS WORKSHEET......Page 238
6.4 Employee Information Security Awareness......Page 239
6.6 Computer Security......Page 240
6.7 Microcomputer Security......Page 241
D......Page 243
G......Page 244
I......Page 245
P......Page 246
S......Page 247
U......Page 248
V W......Page 249

📜 SIMILAR VOLUMES

Information Security Policies and Proced

📁 Information Security Policies and Procedures: A Practitioner's Reference

✍ Thomas R. Peltier 📂 Library 📅 1998 🏛 Auerbach Publications 🌐 English

Information Security Policies and Proced

📁 Information Security Policies and Procedures: A Practitioner's Reference

✍ Dimitris N. Chorafas 📂 Library 📅 1998 🏛 Auerbach Publications 🌐 English

Everything you need to produce a comprehensive set of policies and procedures. Developed by corporate information security guru Tom Peltier and successfully implemented at numerous Fortune 500 companies, Information Security Policy and Procedures will substantially reduce the time and cost usually a

Information Security Policies, Procedure

📁 Information Security Policies, Procedures, and Standards: A Practitioner’s Reference

✍ Douglas J. Landoll 📂 Library 📅 2016 🏛 Auerbach Publications, CRC 🌐 English

<P><STRONG>Information Security Policies, Procedures, and Standards: A Practitioner's Reference</STRONG> gives you a blueprint on how to develop effective information security policies and procedures. It uses standards such as NIST 800-53, ISO 27001, and COBIT, and regulations such as HIPAA and PCI

Information Security Policies and Proced

📁 Information Security Policies and Procedures: A Practitioner's Reference, Second Edition

✍ Thomas R. Peltier 📂 Library 📅 2004 🌐 English

Information Security Policies and Procedures: A Practitioner’s Reference, Second Edition illustrates how policies and procedures support the efficient running of an organization. This book is divided into two parts, an overview of security policies and procedures, and an information security referen

Network Security Policies and Procedures

📁 Network Security Policies and Procedures (Advances in Information Security)

✍ Douglas W. Frye 📂 Library 🏛 Springer 🌐 English

Company network administrators are compelled today to aggressively pursue a robust network security regime. This book aims to give the reader a strong, multi-disciplinary understanding of how to pursue this goal. This professional volume introduces the technical issues surrounding security as well a

Information Security Policies, Procedure

📁 Information Security Policies, Procedures, and Standards: Guidelines for Effective Information Security Management

✍ Thomas R. Peltier 📂 Library 📅 2001 🏛 Auerbach Publications 🌐 English

Information security policies and all of in this book. This is a great advice for business to start, continue, follow on their journey. Thomas has captured the essence of what the business of all levels want to know when it comes to developing IT policies and systems. This book is must read for all