Information Security Policies and Procedures: A Practitioner's Reference, Second Edition
Policies, standards, and procedures are a key element in the business process. The implementation of these documents should never be undertaken to satisfy some perceived audit or security requirement. These requirements do not exist. There are only business objectives or mission requirements. This b...
Đã lưu trong:
| Tác giả chính: | |
|---|---|
| Định dạng: | Sách |
| Ngôn ngữ: | English |
| Được phát hành: |
CRC Press
2009
|
| Truy cập trực tuyến: | http://scholar.dlu.edu.vn/thuvienso/handle/DLU123456789/1357 |
| Các nhãn: |
Thêm thẻ
Không có thẻ, Là người đầu tiên thẻ bản ghi này!
|
| Thư viện lưu trữ: | Thư viện Trường Đại học Đà Lạt |
|---|
| id |
oai:scholar.dlu.edu.vn:DLU123456789-1357 |
|---|---|
| record_format |
dspace |
| institution |
Thư viện Trường Đại học Đà Lạt |
| collection |
Thư viện số |
| language |
English |
| description |
Policies, standards, and procedures are a key element in the business process. The implementation of these documents should never be undertaken to satisfy some perceived audit or security requirement. These requirements do not exist. There are only business objectives or mission requirements. This book is dedicated to the concept that policies, standards, and procedures support the efficient running of an organization. Standards and procedures are the elements that implement the management policies. |
| format |
Book |
| author |
R. Peltier, Thomas |
| spellingShingle |
R. Peltier, Thomas Information Security Policies and Procedures: A Practitioner's Reference, Second Edition |
| author_facet |
R. Peltier, Thomas |
| author_sort |
R. Peltier, Thomas |
| title |
Information Security Policies and Procedures: A Practitioner's Reference, Second Edition |
| title_short |
Information Security Policies and Procedures: A Practitioner's Reference, Second Edition |
| title_full |
Information Security Policies and Procedures: A Practitioner's Reference, Second Edition |
| title_fullStr |
Information Security Policies and Procedures: A Practitioner's Reference, Second Edition |
| title_full_unstemmed |
Information Security Policies and Procedures: A Practitioner's Reference, Second Edition |
| title_sort |
information security policies and procedures: a practitioner's reference, second edition |
| publisher |
CRC Press |
| publishDate |
2009 |
| url |
http://scholar.dlu.edu.vn/thuvienso/handle/DLU123456789/1357 |
| _version_ |
1757672668014837760 |
| spelling |
oai:scholar.dlu.edu.vn:DLU123456789-13572009-11-27T09:26:53Z Information Security Policies and Procedures: A Practitioner's Reference, Second Edition R. Peltier, Thomas Policies, standards, and procedures are a key element in the business process. The implementation of these documents should never be undertaken to satisfy some perceived audit or security requirement. These requirements do not exist. There are only business objectives or mission requirements. This book is dedicated to the concept that policies, standards, and procedures support the efficient running of an organization. Standards and procedures are the elements that implement the management policies. PART 1 INFORMATION SECURITY POLICIES AND PROCEDURES Chapter 1 Introduction * Corporate Policies * Organizationwide (Tier 1) Policies1 * Organizationwide Policy Document * Legal Requirements * Duty of Loyalty * Duty of Care * Other Laws and Regulations * Federal Sentencing Guidelines for Criminal Convictions * The Economic Espionage Act of 1996 * Business Requirements * The Need for Controls * Good Business Practices * Where to Begin? * Summary Chapter 2 Why Manage This Process as a Project? * Introduction * First Things First: Identify the Sponsor * Defining the Scope of Work * Time Management * Cost Management * Planning for Quality * Managing Human Resources * Creating a Communications Plan * Sample Communications Plan during Development of P & P * Sample Communications Plan after Deployment * Summary Chapter 3 Planning and Preparation * Introduction * Objectives of Policies, Standards, and Procedures * Employee Benefits * Preparation Activities * Core and Support Teams * Focus Groups * What to Look for in a Good Writer and Editor * Development Responsibilities * Other Considerations * Key Factors in Establishing the Development Cost * Research, Collect, and Organize the Information * Conduct Interviews * Write the Initial Draft and Prepare Illustrations * Proofread and Edit * Choosing the Medium * Maintenance * Reference Works * Milestones * Responsibilities * Corporate Responsibilities * Development Checklist * Summary Chapter 4 Developing Policies * Policy Is the Cornerstone * Why Implement Information Security Policy? * Some Major Points for Establishing Policies * What Is a Policy? * Definitions * Policy * Standards * Procedures * Guidelines * Policy Key Elements * Policy Format * Global Policy (Tier 1) * Topic-Specific Policy (Tier 2) * Application-Specific Policy (Tier 3) * Additional Hints * Pitfalls to Avoid * Summary Chapter 5 Asset Classification Policy * Introduction * Overview * Why Classify Information? * What Is Information Classification? * Where to Begin? * Information Classification Category Examples * Resist the Urge to Add Categories * What Constitutes Confidential Information? * Employee Responsibilities * Owner * Custodian * User * Classification Examples * Example 1 * Example 2 * Example 3 * Example 4 * Declassification or Reclassification of Information * Records Management Policy * Sample Records Management Policy * Information Handling Standards Matrix * Printed Material * Electronically Stored Information * Electronically Transmitted Information * Records Management Retention Schedule * Information Classification Methodology * Authorization for Access * Owners * Custodians * User * Summary Chapter 6 Developing Standards * Introduction * Overview * Where Do Standards Belong? * What Does a Standard Look Like? * Where Do I Get the Standards? * Sample Information Security Manual * Summary Chapter 7 Developing Procedures * Introduction * Overview * Important Procedure Requirements * Key Elements in Procedure Writing * Procedure Checklist * Getting Started * Procedure Styles * Headline * Caption * Matrix * Narrative * Flowchart * Playscript * Procedure Development Review * Observations * Summary Chapter 8 Creating a Table of Contents * Introduction * Document Layout * Document Framework * Title Page * Management Endorsement Page * Amendment Record * Preparing a Draft Table of Contents * Sections to Consider * Summary Chapter 9 Understanding How to Sell Policies, Standards, and Procedures * Introduction * Believe in What You Are Doing * Return on Investment for Security Functions * Effective Communication * Keeping Management Interested in Security * Enterprise Business Needs * Management Needs * Where We Are * Elements of Information Protection * Common Threats * You Add Value! * Why Policies, Standards, and Procedures Are Needed * Legal Requirements * Business Requirements * The Need for Controls * The Changing Environment * Good Business Practices * Where to Begin? * Summary Appendix 1A Typical Tier 1 Policies * Introduction * Tier 1 Policies * Shared Beliefs * Employee Standards of Conduct * Policy * Responsibilities * Compliance * Unacceptable Conduct * Harassment * Fireable Offenses * Conflict of Interest * Policy * Standards * Responsibilities * Common Conflict-of-Interest Situations * Employment Practices * Policy * Filling Job Vacancies * Termination of Employment * Responsibilities * Records Management * Policy * Role of Retention Center * Role of Records Manager * Role of Management Personnel * Role of Departmental Records Coordinator * Type of Documents Maintained in Retention Center * Services * Transferring Records * Record Retrieval * Record Destruction * Corporate Communications * Policy * Standards * Responsibilities * Electronic Communications * Policy * Responsibilities * Compliance * Internet Security * Policy * Provisions * Responsibilities * Internet Usage and Responsibility Statement * Employee Discipline * Policy * Positive Recognition * Formal Discipline * Deactivation * Discharge * General Security * Policy * Standards * Responsibilities * Compliance * Business Continuity Planning * Policy * Standards * Responsibilities * Compliance * Information Protection * Policy * Responsibilities * Compliance * Information Classification * Policy * Classification Levels * Responsibilities * Compliance Appendix 1B Typical Tier 2 Policies * Introduction * Electronic Communications * Policy * Responsibilities * Compliance * Internet Security * Policy * Standards * Responsibilities * Compliance * Internet Usage and Responsibility Statement * Computer and Network Management * Policy * Responsibilities * Scope * Compliance * Anti-Virus Policy * Policy * Scope * Responsibilities * Compliance * Computer and Network Management * Policy * Standards * Responsibilities * Scope * Compliance * Personnel Security * Policy * Scope * Responsibilities * Compliance * Systems Development and Maintenance Policy * Policy * Responsibilities * Scope * Compliance * Application Access Control Policy * Policy * Standards * Responsibilities * Scope * Compliance * Supporting Standards * Data and Software Exchange Policy * Policy * Responsibilities * Scope * Compliance * Supporting Standards * Network Access Control * Policy * Responsibilities * Scope * Compliance * Supporting Standards * Network Management Policy * Policy * Responsibilities * Scope * Compliance * Supporting Standards * Information Systems’ Operations Policy * Policy * Responsibilities * Scope * Compliance * Supporting Standards * Physical and Environmental Security * Policy * Responsibilities * Scope * Compliance * Supporting Standards * User Access Policy * Policy * Responsibilities * Scope * Compliance * Supporting Standards * Employment Agreement Appendix 1C Sample Standards Manual * Introduction * The Company Information Security Standards * Manual * Table of Contents * Preface * Background * About This Manual * Using the Standards * Change Control * Corporate Information Security Policy * Introduction * Policy Statement * Responsibilities * Manager * Information Systems Manager/Team Leader * Information and System Owner * Information and System User * Information Security Manager (ISM) * Information Security Administration * Standards * Risk Management * Personnel Security Issues * Physical and Environmental Security Controls * Security Management * Information Classification Process * Distribution * Review and Compliance Monitoring * Appendix 1D Sample Information Security Manual * The Company Information Security Policy Manual * Version Control Information * General * Definition * The Security Policy Committee * What Are We Protecting? * Classification of Information * Classification of Computer Systems * Local Area Network Classifications * Definitions * Amateur Hackers and Vandals * Criminal Hackers and Saboteurs * Disgruntled Employees and Ex-Employees * User Responsibilities * Acceptable Use Policy * Use of the Internet * User Classification * Access Control Policy * Departmental User System and Network Access * System Administrator Access * Special Access * Connecting to Third-Party Networks * Connecting Devices to the Network * Remote Access Policy * Penalty for Security Violation * Security Incident Handling Procedures * Create a Security Log * Five-Step Procedure * Virus and Worm Incidents * Malicious Hacker Incidents PART 2 INFORMATION SECURITY REFERENCE GUIDE Chapter 10 Introduction to Information Security * Definition of Information * What is Information Security? * Why Do We Need To Protect Information? * Corporate Policies — Information Management * Corporate Policies — Security * Corporate Policies — Standards of Conduct * Corporate Policies — Conflict of Interest * Foreign Corrupt Practices Act (FCPA) * Federal Copyright Law 3.7 Federal Antitrust Laws * What Information Should Be Protected? Chapter 11 Fundamentals of Information Security * Introduction * Information Availability (Business Continuity) * Information Integrity * Separation of Duties * Rotation of Assignments * Information Confidentiality * Authority to Disclose * Need-to-Know Chapter 12 Employee Responsibilities * Introduction * Owner * Custodian * User Chapter 13 Information Classification * Introduction * Confidential * Internal Use * Public * Classification Process * Reclassification Chapter 14 Information Handling * Introduction * Information Labeling * Information Use and Duplication * Information Storage * Information Disposal Chapter 15 Tools of Information Security * Introduction * Access Authorization * Access Control * Backup and Recovery * Awareness Chapter 16 Information Processing * General * Right to Review * Desktop Processing * Training * Physical Security * Proprietary Software — Controls and Security * Software Code of Ethics * Computer Virus Security * Office Automation * Phone/Voice Mail * Standards of Conduct for Electronic Communication * Cellular Phones * Fax Machines * Interoffice Mail * Office File Cabinets and Desks * Records Management Chapter 17 Information Security Program Administration * Introduction * Corporate Information Systems Steering Committee * Corporate Information Security Program * Corporate Information Security Manager * Corporate Information Security Coordinator * Organization Information Security Program * Organization Management * Information Security Coordinators Chapter 18 Baseline Organization Information Security Program * Introduction * Pre-Program Development * Designing Your Organization’s Program * A Phased Approach to the Program Process * Getting Assistance * Program Development Phase * Determining Initial Program Scope and Obtaining Approval * Assessing the Information Environment * Developing the Program Elements * Program Implementation Phase * Program Implementation Plan * Program Maintenance Phase * Conducting Periodic Information Security Team Meetings * Maintaining Knowledge of the Information Environment * Maintaining the Information Security Plan and Budget * Maintaining the Program Elements Appendix 2A * Information Handling Procedures Matrix * Electronically Stored (Computer-Based) Information * Electronically Transmitted (Computer-Based) Information * Glossary * Information Identification Worksheet * Information Risk Assessment Worksheet * Summary and Controls Worksheet * Risk Assessment: Self-assessment Questionnaire * Information Security * Information Security Standards * Information Classification System * Employee Information Security Awareness * Records Management * Computer Security * Microcomputer Security 2009-11-27T09:26:53Z 2009-11-27T09:26:53Z 2004 Book http://scholar.dlu.edu.vn/thuvienso/handle/DLU123456789/1357 en application/octet-stream CRC Press |