Information Security Policies and Procedures: A Practitioner's Reference, Second Edition, 2nd Edition (Hardback) book cover

Information Security Policies and Procedures

A Practitioner's Reference, Second Edition, 2nd Edition

By Thomas R. Peltier

Auerbach Publications

412 pages | 22 B/W Illus.

Purchasing Options:$ = USD
Hardback: 9780849319587
pub: 2004-06-11
$135.00
x
eBook (VitalSource) : 9780429205392
pub: 2004-06-11
from $67.50


FREE Standard Shipping!

Description

Information Security Policies and Procedures: A Practitioner’s Reference, Second Edition illustrates how policies and procedures support the efficient running of an organization. This book is divided into two parts, an overview of security policies and procedures, and an information security reference guide. This volume points out how security documents and standards are key elements in the business process that should never be undertaken to satisfy a perceived audit or security requirement. Instead, policies, standards, and procedures should exist only to support business objectives or mission requirements; they are elements that aid in the execution of management policies.

The book emphasizes how information security must be integrated into all aspects of the business process. It examines the 12 enterprise-wide (Tier 1) policies, and maps information security requirements to each. The text also discusses the need for top-specific (Tier 2) policies and application-specific (Tier 3) policies and details how they map with standards and procedures.

It may be tempting to download some organization’s policies from the Internet, but Peltier cautions against that approach. Instead, he investigates how best to use examples of policies, standards, and procedures toward the achievement of goals. He analyzes the influx of national and international standards, and outlines how to effectively use them to meet the needs of your business.

Reviews

“The path to information security is a long one, but in this book author Thomas Peltier makes the scenery attractive along the way. Peltier walks the reader through [the text] with clarity, completeness, and humor. ”

— Security Management, June 2005

Table of Contents

INFORMATION SECURITY POLICIES AND PROCEDURES

Introduction

Corporate Policies

Organizationwide (Tier 1) Policies

Organizationwide Policy Document

Legal Requirements

Duty of Loyalty

Duty of Care

Other Laws and Regulations

Business Requirements

Where to Begin?

Summary

Why Manage This Process as a Project?

Introduction

First Things First: Identify the Sponsor

Defining the Scope of Work

Time Management

Cost Management

Planning for Quality

Managing Human Resources

Creating a Communications Plan

Summary

Planning and Preparation

Introduction

Objectives of Policies, Standards, and Procedures

Employee Benefits

Preparation Activities

Core and Support Teams

Focus Groups

What to Look for in a Good Writer and Editor

Development Responsibilities

Other Considerations

Key Factors in Establishing the Development Cost

Reference Works

Milestones

Responsibilities

Development Checklist

Summary

Developing Policies

Policy Is the Cornerstone

Why Implement Information Security Policy?

Some Major Points for Establishing Policies

What Is a Policy?

Definitions

Policy Key Elements

Policy Format

Additional Hints

Pitfalls to Avoid

Summary

Asset Classification Policy

Introduction

Overview

Why Classify Information?

What Is Information Classification?

Where to Begin?

Resist the Urge to Add Categories

What Constitutes Confidential Information?

Employee Responsibilities

Classification Examples

Declassification or Reclassification of Information

Records Management Policy

Information Handling Standards Matrix

Information Classification Methodology

Authorization for Access

Summary

Developing Standards

Introduction

Overview

Where Do Standards Belong?

What Does a Standard Look Like?

Where Do I Get the Standards?

Sample Information Security Manual

Summary

Developing Procedures

Introduction

Overview

Important Procedure Requirements

Key Elements in Procedure Writing

Procedure Checklist

Getting Started

Procedure Styles

Procedure Development Review

Observations

Summary

Creating a Table of Contents

Introduction

Document Layout

Document Framework

Preparing a Draft Table of Contents

Sections to Consider

Summary

Understanding How to Sell Policies, Standards, and Procedures

Introduction

Believe in What You Are Doing

Return on Investment for Security Functions

Effective Communication

Keeping Management Interested in Security

Why Policies, Standards, and Procedures Are Needed

The Need for Controls

Where to Begin?

Summary

Appendix 1A Typical Tier 1 Policies

Introduction

Tier 1 Policies

Employee Standards of Conduct

Conflict of Interest

Employment Practices

Records Management

Corporate Communications

Electronic Communications

Internet Security

Internet Usage and Responsibility Statement

Employee Discipline

General Security

Business Continuity Planning

Information Protection

Information Classification

Appendix 1B Typical Tier 2 Policies

Introduction

Electronic Communications

Internet Security

Internet Usage and Responsibility Statement

Computer and Network Management

Anti-Virus Policy

Computer and Network Management

Personnel Security

Systems Development and Maintenance Policy

Application Access Control Policy

Data and Software Exchange Policy

Network Access Control

Network Management Policy

Information Systems’ Operations Policy

Physical and Environmental Security

User Access Policy

Employment Agreement

Appendix 1C Sample Standards Manual

Introduction

The Company Information Security Standards Manual

Table of Contents

Preface

Corporate Information Security Policy

Responsibilities

Standards

Appendix 1D Sample Information Security Manual

The Company Information Security Policy Manual

General

What Are We Protecting?

User Responsibilities

Access Control Policy

Penalty for Security Violation

Security Incident Handling Procedures

Virus and Worm Incidents

Malicious Hacker Incidents

INFORMATION SECURITY REFERENCE GUIDE

Introduction to Information Security

Definition of Information

What is Information Security?

Why Do We Need To Protect Information?

What Information Should Be Protected?

Fundamentals of Information Security

Introduction

Information Availability (Business Continuity)

Information Integrity

Information Confidentiality

Employee Responsibilities

Introduction

Owner

Custodian

User

Information Classification

Introduction

Classification Process

Reclassification

Information Handling

Introduction

Information Labeling

Information Use and Duplication

Information Storage

Information Disposal

Tools of Information Security

Introduction

Access Authorization

Access Control

Backup and Recovery

Awareness

Information Processing

General

Right to Review

Desktop Processing

Training

Physical Security

Proprietary Software — Controls and Security

Software Code of Ethics

Computer Virus Security

Office Automation

Information Security Program Administration

Introduction

Corporate Information Systems Steering Committee

Corporate Information Security Program

Organization Information Security Program

Baseline Organization Information Security Program

Introduction

Pre-Program Development

Program Development Phase

Program Implementation Phase

Program Maintenance Phase

Appendix 2A

Information Handling Procedures Matrix

Glossary

Information Identification Worksheet

Information Risk Assessment Worksheet

Summary and Controls Worksheet

Risk Assessment: Self-assessment Questionnaire

Subject Categories

BISAC Subject Codes/Headings:
BUS073000
BUSINESS & ECONOMICS / Commerce
COM032000
COMPUTERS / Information Technology
COM053000
COMPUTERS / Security / General