Issue-specific security policy (issp), Computer Network Security

Issue-Specific Security Policy (ISSP)

The ISSP addresses specific areas of technology, needs frequent updates and having statement on organization’s position on a particular issue. Issue specific Policy Whereas program level policy is intended to address broadest aspects of IT security and IT security program framework, issue specific policies are required to be developed to address particular types of activities and, in some environments, particular systems. The types of subjects covered by issue specific policies are areas of current relevance, concern, and, at times, controversy upon which the organization is required to assert a position. In this manner, issue specific IT security policies help to standardize activities and reduce potential risks posed by inadequate and inappropriate treatment of the IT resources. Issue-specific policies serve to provide guidelines for the further development of generates and practices within functional elements of an organization.

Every organization’s ISSP has 3 characteristics:
•Addresses specific technology based systems
•Requires frequent updates
•Contains an issue statement on the organization’s position on an issue. There are three basic approaches while creating and managing ISSPs:
1.  Create a number of independent ISSP documents
2.  Create a single comprehensive ISSP document
3.  Create a modular ISSP document

Components of Issue-specific Security Policy

Statement of an Issue: To formulate a policy on an issue, the issue should 1st be defined, with any relevant terms, distinctions, and conditions delineated. For instance, an organization might want to develop an issue specific policy on use of foreign software. Foreign software can be defined to mean any software, whether applications or data, not approved, purchased, managed, screened, and owned by organization.

Additionally, applicable distinctions and conditions might then required to be included, for instance, for software privately owned by employees but approved for the usage at work and for software owned and used by other businesses under contract to the organization.

Statement of the Organization’s Position: Once the issue is stated and related terms and conditions delineated, the organization’s position or stance on the issue will be required to be clearly stated. To continue the example of developing an issue specific policy on the use of foreign software, this would mean stating whether use of foreign software as defined is strictly prohibited, whether or not there are further guidelines for approval and use, or whether case by case decisions will be rendered based on defined criteria.

Applicability: Issue specific policies will need to include statements of applicability. This means clarifying where, to whom, how, when, and to what a particular policy applies. For instance, it could be that the hypothetical policy on foreign software is intended to apply to the organization’s own onsite resources and employees and is not to be applicable to contractor organizations having offices at other locations.

Additionally, the policy’s applicability to employees traveling among different sites and working at home which is required to transport and use disks at multiple sites might be required to clarify Roles and Responsibilities: Also included in issue specific policies should be the assignment of responsibilities and roles. This would mean, to continue with the above instance, that if the policy permits foreign software privately owned by employees which is to be used at work with the appropriate approvals, then approval authority granting this type of permission should stated. Similarly, it should be clarified who would be responsible for ensuring that only approved foreign software is used on organizational IT resources and, for monitoring users in regard to foreign software.

Related to assignment of roles and responsibilities is the inclusion of guidelines for procedures and enforcement. The issue-specific policy on foreign-software, for example, might include procedural guidelines for checking disks used by employees at home or at other locations. It might also state what the penalties would be for using unapproved foreign software on the organization’s IT systems.

Points of Contact: For any issue specific policy, the appropriate individuals in organization to contact for further guidance, information, and enforcement should be indicated. For instance, for some issues the point of contact may be a line manager; for other issues it may be a facility manager, system administrator or technical support person.For other issues, the point of contact can be a security program representative. By using the above example again, employees should know whether the point of contact for questions and procedural information would be his/her immediate superior, a system administrator, or a computer security official. Figure given below is an outline of a sample ISSP, which is used as a model.

Considerations for an Effective Telecommunications Use Policy

1  Statement of policy
a. Scope and applicability
b. Definition of technology addressed

c.  Responsibilities

2 Authorized access and usage of equipment
a. User access
b. Fair and responsible use
c. Protection of privacy

3 Prohibited usage of equipment
a.Disruptive use or misuse b.  Criminal use
c.Offensive of harassing materials
d.Copyrighted, licensed, or other intellectual property
e.Other restrictions

4. Systems management
a. Management of stored materials
b. Employer monitoring
c. Virus protection
d. Physical security
e. Encryption

5. Violations of policy
a. Procedures for reporting violations
b. Penalties for violations

6. Policy review and modification

a. scheduled review of policy procedures for modification
b. Legal disclaimers

7. Limitations of liability
a. Statements of liability
b. Other disclaimers as required

Posted Date: 10/9/2012 3:06:54 AM | Location : United States

Related Discussions:- Issue-specific security policy (issp), Assignment Help, Ask Question on Issue-specific security policy (issp), Get Answer, Expert's Help, Issue-specific security policy (issp) Discussions

Write discussion on Issue-specific security policy (issp)
Your posts are moderated
Related Questions
QUESTION An analog sensor is used to monitor the temperature of sea water at different depth. The sensor is fitted to a buoy and incorporates a wireless transmitter that send

In broadcast topology there are further two types 1) SATELLITE\RADIO 2) RING TOPOLOGY In a radio or satellite topology every computers are connected to each other via radio o

Your rules should ensure that Internet access will be restricted to the following: Only the following services will be permitted as OUTBOUND traffic (to the Internet from the DM

People,Procedures,Data Asset Identification-Risk Management The human resources, data information and documentation assets are more difficult to identify. People having knowle

FRAGMENTATION AND PATH MTU IPv6 source is responsible for fragmentation. Routers simply drop datagrams bigger than network MTU. So source have to fragment datagram to arrive d

QUESTION a) Compare and contrast between static and dynamic routing. b) What are the merits (five merits) and limitations (3 limitations) of using Open Shortest Path First

Question: (a) Distinguish between Steganograhy and Cryptography. (b) "Playfair cipher is more secure than Monoalphabetic cipher." Justify this statement. (c) Various ap

Question 1 a) What is a NMS? Question 2 Explain about Structure of Management Information Question 3 A)In which UDP port number does a protocol entity receive message?

Need Assignemnt help in Information security assignemnt