Information Security
Policy Development for
Management
By Peter McCarthy
Brief Overview







Why Policy?
What Is Policy?
Basic Rules For Policy Development
3 Types Of Policy
Using SecSDLC
Complying With Policy
Policies, Standards, & Practices
Why Policy?



The centrality of information security policies to
virtually everything that happens in the information
security field is increasingly evident.
An effective information security training and
awareness effort cannot be initiated without writing
information security policies because policies provide
the essential content that can be utilized in training and
awareness material.
Properly developed and implemented policies enable
the information security program to function almost
seamlessly within the workplace.
The Bulls-eye Model
What Is Policy?



Policy is a plan or course of action, as of a
government, political party, or business, intended to
influence and determine decisions, actions, and other
matters
Policies comprise a set of rules that dictates acceptable
and unacceptable behavior within an organization
Policies must also specify the penalties for unacceptable
behavior and define an appeal process
Basic Rules for Policy Development



Set the information resource security policy for
the organization with the objectives of reduced
risk, compliance with laws and regulations and
assurance of operational continuity, information
integrity, and confidentiality.
Policy must be able to stand up in court, if
challenged.
Policy must be properly supported and
administered.
Basic Rules For Policy Development
(cont.)



All policies must contribute to the success of
the organization.
Management must ensure the adequate sharing
of responsibility for proper use of information
systems.
End users of information systems should be
involved in the steps of policy formulation.
3 Types of Policy

Enterprise information security program policy

Issue-specific security policies

System-specific security policies
Enterprise Information Security
Policy (EISP)





The EISP sets the strategic direction, scope, and tone for all of
an organization’s security efforts
It assigns responsibilities for the various areas of information
security, including maintenance of information security policies
and the practices and responsibilities of end users
It guides the development, implementation, and management
requirements of the information security program
It must directly support the organization’s vision and mission
statements
It must be defensible if legal challenges to it arise
Issue-Specific Security Policy (ISSP)



The ISSP provides detailed, targeted guidance to
instruct all members of the organization in the use of
technology-based systems
It is not to establish a legal foundation for persecution
or prosecution, but rather to provide a common
understanding of the purposes for which an employee
can and cannot use the technology
The ISSP serves to protect both the employee and the
organization from inefficiency and ambiguity
System-Specific Security Policy
(SysSSP)


SysSSPs often function as standards or
procedures to be used when configuring or
maintaining systems
SysSSPs can be separated into two general
groups, management guidance and technical
specifications, or they may combine these two
types of SysSP content into a single policy
document
Using a Secure Systems
Development Life Cycle (SecSDLC)





Investigation Phase
Analysis Phase
Design Phase
Implementation Phase
Maintenance Phase
Complying With Policy


A standard is a more detailed statement of what
must be done to comply with policy
Practices, procedures, and guidelines explain
how employees are to comply with policy
Policies, Standards, & Practices
Brief Summary







Why Policy?
What Is Policy?
Basic Rules For Policy Development
3 Types Of Policy
Using SecSDLC
Complying With Policy
Policies, Standards, & Practices
Sources

Whitman, Michael E., and Herbert J. Mattord.
Management of Information Security. Canada:
Course Technology, 2004. 106-131.
Any Questions?