Information Technology Reference
In-Depth Information
sion detection, and anti-malware. The development process for any specific security
policy includes:
n
−
n
−
Identify compliance requirements.
Legislative and regulatory: Sarbanes-Oxley, Clinger-Cohen, and HIPAA
Identify governing body.
Judicial system, Securities and Exchange Commission (SEC), Federal
Trade Commission (FTC), Food and Drug Administration (FDA),
Office of Management and Budget (OMB)
Identify governing body audit process and audit guidance.
OMB Circular A-130
Choose industry standards and best practices.
Organization decides to hold itself accountable to an industry standard
or industry best practices
ISO 27002, NIST Special Publications (SP), COBIT
Assess current situation.
As-is state of policy
Determine if policy exists, if it is viable, and if it is comprehensive
with respect to compliance requirements.
As-is state of practice (i.e., policy implementation, how operations aligns
with policy)
n
−
n
−
n
n
−
n
−
Organizational policy should include security controls. A generic security con-
trols policy statement may read:
Organization Y requires appropriate security controls to protect infor-
mation and information technology from threats. These security
controls include a combination of policies, standards, procedures,
guidelines, employee awareness, and physical, hardware, and software
safeguards.
A comprehensive policy includes physical access, intellectual property protec-
tion, and system and network access controls. Policies reflect compliance require-
ments and convey details of appropriate organizational behavior. Figure 8.3 presents
the relationship among policies, standards, procedures, and guidelines.
8.6.1.1
Roles and Responsibilities
Roles and responsibilities specific to security policy development include:
n
n
Sponsors—Those providing the financial backing and corporate clout
Initiators—The point of accountability who starts the process
