Issue-Specific Security Policy (ISSP)

The ISSP addresses specific areas of technology, needs frequent updates and having statement on organization’s position on a particular issue. Issue specific Policy Whereas program level policy is intended to address broadest aspects of IT security and IT security program framework, issue specific policies are required to be developed to address particular types of activities and, in some environments, particular systems. The types of subjects covered by issue specific policies are areas of current relevance, concern, and, at times, controversy upon which the organization is required to assert a position. In this manner, issue specific IT security policies help to standardize activities and reduce potential risks posed by inadequate and inappropriate treatment of the IT resources. Issue-specific policies serve to provide guidelines for the further development of generates and practices within functional elements of an organization.

Every organization’s ISSP has 3 characteristics:
•Addresses specific technology based systems
•Requires frequent updates
•Contains an issue statement on the organization’s position on an issue. There are three basic approaches while creating and managing ISSPs:
1.  Create a number of independent ISSP documents
2.  Create a single comprehensive ISSP document
3.  Create a modular ISSP document

Components of Issue-specific Security Policy
Statement of an Issue: To formulate a policy on an issue, the issue should 1st be defined, with any relevant terms, distinctions, and conditions delineated. For instance, an organization might want to develop an issue specific policy on use of foreign software. Foreign software can be defined to mean any software, whether applications or data, not approved, purchased, managed, screened, and owned by organization.

Additionally, applicable distinctions and conditions might then required to be included, for instance, for software privately owned by employees but approved for the usage at work and for software owned and used by other businesses under contract to the organization.

Statement of the Organization’s Position: Once the issue is stated and related terms and conditions delineated, the organization’s position or stance on the issue will be required to be clearly stated. To continue the example of developing an issue specific policy on the use of foreign software, this would mean stating whether use of foreign software as defined is strictly prohibited, whether or not there are further guidelines for approval and use, or whether case by case decisions will be rendered based on defined criteria.

Applicability: Issue specific policies will need to include statements of applicability. This means clarifying where, to whom, how, when, and to what a particular policy applies. For instance, it could be that the hypothetical policy on foreign software is intended to apply to the organization’s own onsite resources and employees and is not to be applicable to contractor organizations having offices at other locations.

Additionally, the policy’s applicability to employees traveling among different sites and working at home which is required to transport and use disks at multiple sites might be required to clarify Roles and Responsibilities: Also included in issue specific policies should be the assignment of responsibilities and roles. This would mean, to continue with the above instance, that if the policy permits foreign software privately owned by employees which is to be used at work with the appropriate approvals, then approval authority granting this type of permission should stated. Similarly, it should be clarified who would be responsible for ensuring that only approved foreign software is used on organizational IT resources and, for monitoring users in regard to foreign software.

Related to assignment of roles and responsibilities is the inclusion of guidelines for procedures and enforcement. The issue-specific policy on foreign-software, for example, might include procedural guidelines for checking disks used by employees at home or at other locations. It might also state what the penalties would be for using unapproved foreign software on the organization’s IT systems.

Points of Contact: For any issue specific policy, the appropriate individuals in organization to contact for further guidance, information, and enforcement should be indicated. For instance, for some issues the point of contact may be a line manager; for other issues it may be a facility manager, system administrator or technical support person.For other issues, the point of contact can be a security program representative. By using the above example again, employees should know whether the point of contact for questions and procedural information would be his/her immediate superior, a system administrator, or a computer security official. Figure given below is an outline of a sample ISSP, which is used as a model.

Considerations for an Effective Telecommunications Use Policy

1  Statement of policy
a. Scope and applicability
b. Definition of technology addressed

c.  Responsibilities

2 Authorized access and usage of equipment
a. User access
b. Fair and responsible use
c. Protection of privacy

3 Prohibited usage of equipment
a.Disruptive use or misuse b.  Criminal use
c.Offensive of harassing materials
d.Copyrighted, licensed, or other intellectual property
e.Other restrictions

4. Systems management
a. Management of stored materials
b. Employer monitoring
c. Virus protection
d. Physical security
e. Encryption

5. Violations of policy
a. Procedures for reporting violations
b. Penalties for violations

6. Policy review and modification
a. scheduled review of policy procedures for modification
b. Legal disclaimers

7. Limitations of liability
a. Statements of liability
b. Other disclaimers as required