Join the 40,000+ candidates in over 58 countries that have found a faster, better way to pass their certification exam.
Comprehensive practice exam engine!
All features in the FREE plan, plus:
Welcome to our Information Security Policy module. In this module we will discuss policies, procedures, standards, baselines, and guidelines. When we're developing our policies and procedures, we should start off by looking at laws and regulations that we are required to follow in our industry, and also take a look at best practices.
These will be our drivers in developing our policies. We will then develop our organizational policy, which is our management's statement on security. Once we have this policy in place, we can then begin working on our functional policies, which will focus on the issues affecting our business and our specific systems.
And these are the security directives that are provided by our management staff. From these policies, we will be able to develop standards, procedures, baselines, and guidelines. The National Institute of Standards and Technology, or NIST, provided a special publication, 800-12, to help with information technology security. It describes the need for computer security based on laws and regulations, the desire to avoid liabilities, and also to provide best practices for computer security.
It establishes the management's responsibilities, which is to create a computer security program, and then assign roles and responsibilities as necessary. It discusses the components of your policies, like compliance issues, the overall goal of your computer security policy, and the scope. And also provides information on organizational policies, such as your internet policy, privacy policy, and acceptable use policy.
When you attempt to provide information security in your organization, you will not be successful unless you have security policies that are easy to understand and are implemented throughout the entire organization. (ISC)2 certifications are very focused on preparing written plans, procedures, and policies. You must first start off with a broad statement from your upper management about your overall security goals.
In your enterprise, you should have everything that you expect spelled out in writing with clear responsibilities for your employees. You should have step-by-step procedures, which are very detailed, and make it clear what should be done and how to accomplish it. In order to ensure compliance, you should always have someone accountable for enforcing these policies.
There are several different types of policies. Regulatory policies are designed to make sure that your organization is complying with the industry regulations. These policies are often used in government regulated entities, and are often very detailed. Advisory policies will advise against unacceptable behavior, and it will provide regulations that are prohibited. It also provides punishments for non-compliance with the policy. Informative policies are not generally enforceable, but they provide some information about different issues that are relevant to your organization. Standards are binding or mandatory. These rules are not optional, and they dictate how hardware and software should be used, and the expected behavior of your employees.
Baselines are considered to be mandatory and binding, and this explains a minimal level of security that will be required on all of the devices in your organization. Procedures are also considered to be mandatory, and they provide detailed, step by step actions that a user should take to perform some type of task.
Guidelines are not considered binding or mandatory. They are typically used as operational guides, and provide your employees with some recommended actions. You should remember, for the CISSP exam, that standards, baselines, and procedures are all mandatory, and guidelines is the only one that is not. Guidelines are meant to be simply a guide for employees to follow.
This concludes our Information Security Policy module. Thank you for watching.
Classified by skill and ranked by difficulty. Choose to answer questions in STUDY MODE to review and you go.
Know when you’re ready for the high-stakes exam. Have the confidence that you will pass on your first attempt.
Don’t forget what you’ve just studied! Use the intelligent reinforcement questions to stay fresh.
THANK YOU! Just bloody thank you! I’m doing the CEH minor at my college and well...I’ve learned more from this site in a few hours than I’ve learned from my school in 9 weeks about the subject. Keep up the good work!
Skillset’s Exam Engine continuously assesses your knowledge and determines when you are ready take and pass your exam. When Skillset learns that there is a gap between your knowledge and what you need to know to pass, we present you with a focused training module that gets you up to speed quickly. No fluff! Find your knowledge gaps and fill them.
Skillset is confident that we can help anyone pass their exam. If you reach 100% readiness, and you do not pass your exam, we will refund you plus pay for a replacement exam voucher. That’s how powerful our learning system is, we can offer this guarantee and stand behind our products with this no risk to you guarantee. See terms and conditions.
Don’t waste time studying concepts you have already mastered. Focus on what you need to know to pass. The Skillset Competency Diagnostic aligns our Exam Engine and Learning Plan to your baseline knowledge. This saves an average of 31% of the time required to prep for a professional certification exam.
More PRO benefits are being built all the time!