Unit 2

INFORMATION SECURITY UNIT-2
LEGAL, ETHICAL, AND PROFESSIONAL ISSUES IN INFORMATION SECURITY

Law and Ethics in Information Security.
Laws are rules that mandate or prohibit certain behavior in society; they are drawn from ethics, which define
socially acceptable behaviors. The key difference between laws and ethics is that laws carry the sanctions of a
governing authority and ethics do not. Ethics in turn are based on Cultural mores.
Types of Law
 Civil law
 Criminal law
 Tort law
 Private law
 Public law
Relevant U.S. Laws – General

Computer Fraud and Abuse Act of 1986
National Information Infrastructure Protection Act of 1996
USA Patriot Act of 2001
Telecommunications Deregulation and Competition Act of 1996
Communications Decency Act (CDA)
Computer Security Act of 1987
Privacy
ü The issue of privacy has become one of the hottest topics in information
ü The ability to collect information on an individual, combine facts from separate sources, and merge it
with other information has resulted in databases of information that were previously impossible to set up
 ü The aggregation of data from multiple sources permits unethical organizations to build databases of
facts with frightening capabilities
Privacy of Customer Information
 Privacy of Customer Information Section of Common Carrier Regulations

 Federal Privacy Act of 1974
 The Electronic Communications Privacy Act of 1986
 The Health Insurance Portability & Accountability Act Of 1996 (HIPAA) also known as the Kennedy-
Kassebaum Act
 The Financial Services Modernization Act or Gramm-Leach-Bliley Act of 1999
1
Table 2.5.2.1 Key U.S Laws of Interest to Information Security Professionals
2
3
Export and Espionage Laws
 Economic Espionage Act (EEA) of 1996

 Security and Freedom Through Encryption Act of 1997 (SAFE)
US Copyright Law
 Intellectual property is recognized as a protected asset in the US

 US copyright law extends this right to the published word, including electronic formats
 Fair use of copyrighted materials includes
 The use to support news reporting, teaching, scholarship, and a number of other related permissions
 The purpose of the use has to be for educational or library purposes, not for profit, and should not be
excessive
Freedom of Information Act of 1966 (FOIA)
 The Freedom of Information Act provides any person with the right to request access to federal agency
records or information, not determined to be of national security
 US Government agencies are required to disclose any requested information on receipt of a written
request
 There are exceptions for information that is protected from disclosure, and the Act does not apply to state
or local government agencies or to private businesses or individuals, although many states have their own
version of the FOIA
State & Local Regulations
 In addition to the national and international restrictions placed on an organization in the use of computer
technology, each state or locality may have a number of laws and regulations that impact operations
 It is the responsibility of the information security professional to understand state laws and regulations
and insure the organization’s security policies and procedures comply with those laws and regulations
International Laws and Legal Bodies
 Recently the Council of Europe drafted the European Council Cyber-Crime Convention, designed
 To create an international task force to oversee a range of security functions associated with
Internet activities,
 To standardize technology laws across international borders
It also attempts to improve the effectiveness of international investigations into breaches of technology
law
 This convention is well received by advocates of intellectual property rights with its emphasis on
copyright infringement prosecution
Digital Millennium Copyright Act (DMCA) Digital Millennium Copyright Act (DMCA)
 The Digital Millennium Copyright Act (DMCA) is the US version of an international effort to reduce
the impact of copyright, trademark, and privacy infringement
4
 The European Union Directive 95/46/EC increases protection of individuals with regard to the
processing of personal data and limits the free movement of such data
 The United Kingdom has already implemented a version of this directive called the Database Right
United Nations Charter
 To some degree the United Nations Charter provides provisions for information security during
Information Warfare
 Information Warfare (IW) involves the use of information technology to conduct offensive operations as
part of an organized and lawful military operation by a sovereign state
 IW is a relatively new application of warfare, although the military has been conducting electronic
warfare and counter-warfare operations for decades, jamming, intercepting, and spoofing enemy
communications
Policy Versus Law
 Most organizations develop and formalize a body of expectations called policy

 Policies function in an organization like laws
 For a policy to become enforceable, it must be:
 Distributed to all individuals who are expected to comply with it

 Readily available for employee reference
 Easily understood with multi-language translations and translations for visually impaired, or literacy-
impaired employees
 Acknowledged by the employee, usually by means of a signed consent form
 Only when all conditions are met, does the organization have a reasonable expectation of effective
policy
Ethical Concepts in Information Security

Cultural Differences in Ethical Concepts
 Differences in cultures cause problems in determining what is ethical and what is not ethical
 Studies of ethical sensitivity to computer use reveal different nationalities have different perspectives
 Difficulties arise when one nationality’s ethical behavior contradicts that of another national group
Ethics and Education

Employees must be trained and kept aware of a number of topics related to information security, not the least
of which is the expected behaviors of an ethical employee
 This is especially important in areas of information security, as many employees may not have the
formal technical training to understand that their behavior is unethical or even illegal
 ü Proper ethical and legal training is vital to creating an informed, well prepared, and low-risk
system user
Deterrence to Unethical and Illegal Behavior
Deterrence - preventing an illegal or unethical activity
 Laws, policies, and technical controls are all examples of deterrents
5
 Laws and policies only deter if three conditions are present:

 Fear of penalty
 Probability of being caught
 Probability of penalty being administered
Ethics and Information Security
Information security is a field that evolves rapidly, in large part due to the speed with which criminals devise
new ways to infiltrate your data.
Perhaps it’s little surprise then, that in a realm where security professionals must study and use the same tactics
as criminals, ethical principles can sometimes get blurry. Keep reading to learn why ethics is important to
infosec, and how you can instill a strong ethical foundation at your company.
What Defines Ethics in Information Security?

Ethics can be defined as a moral code by which a person lives. For corporations, ethics can also include the
framework you develop for what is or isn’t acceptable behavior within your organization.
In computer security, cyber-ethics is what separates security personnel from the hackers. It’s the knowledge of
right and wrong, and the ability to adhere to ethical principles while on the job.
Simply put, actions that are technically compliant may not be in the best interest of the customer or the
company, and security professionals need to be able to judge these matters accordingly.
Why is Ethics Significant to Information Security?

The data targeted in cyber attacks is often personal and sensitive. Loss of that sensitive data can be potentially
devastating for your customers, and it’s crucial that you have the full trust of the individuals you’ve hired to
protect it. Cybersecurity professionals have access to the sensitive personal data they were hired to protect. So
it’s imperative that employees in these fields have a strong sense of ethics and respect for the privacy of your
customers.
The field of information technology also expands and shifts so frequently that a strong ethical core is necessary
to navigate it. It’s important that your staff can determine what’s in the best interest of your customers and the
company as a whole. Specific scenarios that your employees might confront can sometimes be impossible to
foresee, so a strong ethical core can be the foundation that lets employees act in those best interests even in
difficult, unpredictable circumstances.
What are the Ethical Issues in Cybersecurity?
Cybersecurity professionals need to know the same tricks used by their black hat counterparts. This means that
a programmer should know how to-and therefore, be able to-copy credit card data, violate intellectual property
agreements, steal trade secrets, and infiltrate medical records. The safety of your customers’ data is in their
hands, and it’s your responsibility to recruit infosec staff who will not take advantage of their unique position
within your company.
6
Cybersecurity also has the potential to interrupt your regular business procedures. So-called ethical hacking and
protective measures can cause inconveniences for your customers and other employees, and it’s important to
schedule cybersecurity efforts in low-traffic periods. Some professionals may prefer to focus on the technical
aspects of their job, but providing the service your customers require is as important as maintaining your
security system.
Many companies focus only on the technical abilities of a candidate for hire, but it’s not enough that your staff
have knowledge of technology and hacking techniques. They must also demonstrate the ability to maintain their
moral standards while processing customer data or handling other grey areas of data management and
cybersecurity.
What are the Key Principles in Computer Ethics?

The Association for Computing Machinery (ACM) has created a Code of Ethics and Professional Conduct for
those who work in computer systems. This code includes:
1. General Ethical Principles: These ground rules detail honesty, respect for privacy issues and
intellectual property rights, and refrain from discrimination and other potential forms of harm.
2. Professional Responsibilities: This portion of the code refers to a professional’s responsibility to the
field by performing the work to the best of his or her ability and maintaining a high level of competence.
This category also mentions the increase of public awareness of their work and the ability to accept
review when needed.
3. Professional Leadership Principles: Computer science professionals are asked to work towards the
public good, improve working life for their colleagues, and encourage other members of the field to
learn and grow.
These principles are merely suggestions, but they provide a good starting place for discussing ethics within the
field.
Are Cybersecurity Ethics and Infosec Ethics the Same?

The terms “cybersecurity” and “infosec” have important distinctions, despite so many people using the two
terms interchangeably. Infosec encompasses all information security, and includes physical data. Cybersecurity
is electronic data only, and therefore is a subset of infosec.
Cybersecurity professionals traditionally understand the “how” of data protection but not necessarily the “why.”
Increasingly, however, these two forces are becoming inseparable. Ethics are crucial to both categories, and the
ethical considerations in both areas are often similar.
7
What are the Risks of Bad Ethics or Lapses in Ethics of Infosec?

Your reputation depends on customers’ faith in their data’s security. If a member of your infosec team is found
to be careless or corrupt and a security breach occurs, your reputation could be severely damaged. This will
result in the loss of present and future income and could sow distrust among your board members and investors.
Depending on your field, these ethical lapses can also result in fines and other financial penalties. Banking and
healthcare are particularly vulnerable, so be sure to know what is at stake and emphasize the importance of
ethics to your staff.
How Can I Train my CISO and Employees to be Ethical?
 Personal codes of ethics can vary wildly from person to person, and no two staff members will have
identical opinions on what constitutes bad behavior. Hence organizations need to define the ethical
behavior they expect from employees, and hire only those people who are able to uphold those core
moral standards. This especially true for your Chief Information Security Officer, who will need to
provide ethical leadership to the rest of his or her team.
 Drafting a code of conduct for your employees can greatly aid in instilling ethics in your company.
Regular training sessions and company meetings can also help foster a strong sense of ethics, and also a
strong sense of community amongst your employees.
 Some associations attempt to standardize the ethical aspects of cybersecurity. Organizations like ISSA
and SANS provide ethical accreditations for computer ethics, but while these programs can help, they
are not recognized throughout all industries. Staff members who have taken these courses should still be
vetted before they are hired.
How Can I Imbue my Organization’s Culture with Ethics?
 C-suite employees and board members need to model ethical behavior. By setting this example, your
high-level employees can assure that staff members in all departments know what is expected of them.
 The penalties for moral breaches should be made known throughout your company, and enforced when
ethical issues arise.
 A policy of openness and honesty with your investors and customers is also important. If something
goes wrong-and sooner or later, something will-your organization should let affected parties know
immediately along with a detailed plan for mitigating the effects and assuring it does not happen again.
8
What Is Information Security Governance?
Information security governance is a framework of policies, practices, and strategies that align organizational
resources toward protecting information through cybersecurity measures.
Governance policies are critical for most enterprise organizations because ad hoc security measures will almost
always fall short as modern security threats and IT infrastructure evolve. Security and information
governance centralize accountability and planning in an organization so that several overlapping priorities are in
place at all times. These priorities include the following:
 Allocation of Resources, including funding for technology, personnel, training materials, and executive
positions related to compliance and information security
 Compliance, whether with industry standards or optional frameworks as determined by organizational
needs
 Accountability, centered around a management hierarchy that can formalize decision-making and processes
development
 Implementation of advanced security measures like risk management, proactive prevention, and tools like
vulnerability scanners, penetration tests, or artificial intelligence
Encompassing these priorities are four components of security governance:
1. Strategy: Across security goals, business goals, financial goals, and compliance requirements, an
organization must have a strategy in place. This strategy should align all these priorities into a shared set of
practices and policies.
2. Implementation: Strategy isn’t worth much without proper execution. An organization should secure
funding and support for business leadership to devote resources to properly deploying security requirements
aligned with governance strategies.
3. Operation: Once implemented, a security infrastructure requires continuous operational support. This
includes direct management of compliance, project alignment, and risk.
4. Monitoring: Success, failure, and optimization—measuring these facets of a security strategy requires
regular monitoring and measurement for analytics and reporting.
What Is a Security Governance Framework?
Security governance is a complex process that can encompass every aspect of an organization. Fortunately,
security and compliance efforts have worked out several strategies and best practices to support effective
governance policies.
To help enterprises implement security government strategies without reinventing the wheel, professional
organizations have developed frameworks to support the rapid and effective deployment of security governance
infrastructure.
One of the most well-known (and influential) frameworks available is the Cybersecurity Framework, developed
by the National Institute of Standards and Technology (NIST). This framework guides mobilizing business
priorities to drive security and risk management. This guidance is structured around five Core Functions:
9
1. Identify: An organization must develop the ability to identify critical resources, people, assets, information,
and capabilities related to implementing and maintaining IT security. This includes understanding the
business contexts of these resources.
2. Protect: An organization should implement the proper controls to protect identified assets and limit the
impact of security issues related to these assets should a breach occur.
3. Detect: An organization should deploy resources, including scanning and monitoring tools, to detect
cybersecurity events as they occur.
4. Respond: An organization must have the ability to respond to security events after they occur, including
efforts to mitigate breaches, remediate issues, and address security failures.
5. Recover: An organization should use security events, compliance requirements, and business goals to
develop recovery and resiliency plans, including regular backups and hot/cold restoration for continuity.
What Are the Benefits of Security Governance for Business?
Organizing security and compliance efforts under a single strategy will bring several significant benefits to an
organization far beyond struggling with ad hoc security.
Some of the key benefits of implementing security governance policies include the following:
 More Effective Security: A comprehensive and well-defined security governance policy can bring together
business and security goals in a way that disorganized security approaches simply cannot match.
Frameworks can further help organizations hit the ground running with comprehensive approaches to
security that will help them meet their goals.
 Uniform Application of Compliance Requirements: Compliance is a critical part of doing business in
most industries. Adherence to regulations, however, is an all-or-nothing reality—if one part of a system is
noncompliant, then the whole organization is open to penalty or potential breach. Security governance
policies can streamline compliance practices across technical, administrative, and physical systems.
 Common Language for Security: It doesn’t help when security experts are silenced into their own
enclaves. An organization can create a common vocabulary understandable across the enterprise with a
robust policy framework.
 Streamlined Technology: Once security and compliance requirements are mobilized in policy, it becomes
quite easy to define the proper platforms the organization should use for business operations like customer
relationship management, secure file transfer, document management, and secure email.
What Are the Challenges of Implementing Security Governance?
While there are significant benefits to implementing a security governance policy (or framework), it’s not the
case that these policies shape or implement themselves. There are several areas where an organization can face
challenges on how its governance policies play out.
Some of the challenges of security governance implementation include the following:
 Lack of Buy-in by Management: Not all business leaders, especially those running small- to medium-
sized businesses or growing enterprises, understand the value of cohesive cybersecurity. Yet, some may
look to cut corners in areas where they have yet to feel a negative impact—like cybersecurity. Lack of buy-
in can make it impossible to pull together the people and resources needed to implement security
governance policies.
10
 Lack of Personnel: Conceiving and implementing security governance requires expertise and continued
maintenance. As such, organizations without critical personnel, including security and compliance officers,
will struggle with their policy implementation.
 Inability to Measure Success: Without proper metrics and analytics, it isn’t easy to gauge how, or even if,
a security governance policy or framework is making a difference. Because this kind of infrastructure is an
expenditure above and beyond immediate security measures, many enterprises may not have the capabilities
to launch full-scale monitoring tools, which can slow down policy rollout.
What is Information Security Governance?

Information security is a complicated, ever-changing, multi-pronged effort for corporations, which means it is
something that needs to be governed by the highest levels of the organization.
“Information security governance,” however, can be an esoteric term difficult to understand at a practical level.
This article will unpack what the term means and how CISOs can implement such governance – and to begin,
it’s essential to understand the difference between governance and management.
Management is day-to-day decision-making about business processes and operations. It’s the nuts and bolts of
running a business unit, implementing policies, and assuring that everyone has the necessary tools to do their
jobs. Information security management is about running backups, monitoring cloud computing services, and
checking firewalls; it’s the majority of the everyday work of your IT department.
Governance is the set of broad principles and values that guide your organization’s management. It is about the
vision, mission, and values of your business. Corporate governance is the soul of your business; it keeps
everyone on track and helps you reach your goals, even as those goals shift and evolve over time.
Understanding Information Security Governance

Information security governance plays a vital role in business today. It allows you to show potential business
partners that you have a structure and process that guides your information security decisions and incident
responses. As a result, you are running a tight ship and not leaving anything up to chance.
That quality makes a business more attractive to its customer base. It gives you a competitive advantage over
rivals that don’t use good governance to manage their IT security needs.
Five core components of information security governance
We can define information security governance by its five basic components. Regardless of
your precise governance principles or security strategy, any such effort should include the following.
1. Provide an organizational structure that constantly works to improve data protection. Information security
management includes risk management, which we can define as (1) identifying poor practices for handling
information that should be avoided and (2) having a plan for mitigating security incidents and managing
new or unexpected information security risks.
2. Ensure business continuity in case of security breaches or other cybersecurity events. This protects the value
of your business investments, as well as your business reputation.
3. Define security measures to assure business needs have the highest priority, and monitor how employees
follow those steps. Compile metrics and make sure your security practices are easy to understand and apply,
no matter where in the business they are needed. Remember: any security control is only as reasonable as
the metrics you collect from it.
11
4. Make sure your business stays in compliance with regulatory requirements and other standards. Here are
some common information security governance frameworks that will help you stay in compliance; pick the
one that applies to your business:
 National Institute for Security and Technology (NIST) publication 800-53

 International Organization for Standardization 27001 (also known as ISO 27001)
 Control Objectives for Information and Related Technology (COBIT)
 Health Information Portability and Accountability Act (HIPAA)
 Payment Card Industry Data Security Standard (PCI DSS)
5. Protect and communicate your information security standards both internally to staff and externally to
potential business partners. All stakeholders must be involved in the governance process, from boards of
directors through executive management and on to each staffer.
Why Is Information Security Governance Important?

The working environment for corporations today looks very different from what it did in the past. For example,
remote work is far more common (thank you, Covid-19), which dramatically expands the “attack surface”
corporate security teams need to protect. Cybersecurity attacks have also become more common and more
threatening, as seen by ransomware attacks that can leave a corporation paralyzed.
Such a complicated security landscape needs a disciplined, rigorous approach to keep your IT systems running,
your confidential data secure, and your operations in compliance with regulatory obligations. Companies that
only use a piecemeal, ad hoc approach to security are almost destined to fall behind peers that instill strategic
planning and transparency across their security efforts.
How to Implement Information Security Governance

Information security governance is the purview of an organization’s board of directors and executive
management. The foremost player is the chief information security officer (CISO), who implements the
governance strategy.
First, remember that information security governance is part of cybersecurity and IT governance, and it
addresses typical IT security issues such as data breaches, security policies, and mitigation of security incidents.
It’s natural to begin implementation in the IT and cybersecurity departments, but you must go beyond those
departments to encompass your entire business enterprise. Every stakeholder should be informed and included
in shaping security policies as they are being developed.
If you’re uncertain how to structure your governance system, you can get help from the IT Governance
Institute, a branch of ISACA (previously known as the Information Systems Audit and Control Association).
How Information Security Governance Works

As you grow and shape your information security governance program, senior management and staff should
work together to identify information assets and security risks related to your IT systems. That information lets
management set the strategic direction for implementing the governance system.
12
For example, if you document many, severe risks from third parties, the board might direct management to rely
on fewer third parties. Or if you document an abundance of personally identifiable information that serves little
business purpose, management might decide to strengthen data destruction policies.
Those conversations increase security awareness across the enterprise and help create an information security
strategy aligned with business objectives. All this effort, however, is worth little if you don’t collect feedback
on the information security program to understand which practices do or don’t work well and to assess new
risks as those threats emerge. Getting everyone involved has to become part of your business strategy.
A robust information security governance strategy will help create an information security policy that highlights
cybersecurity issues and help you develop measures to improve overall organizational security awareness.
WHAT IS THE PURPOSE OF AN ENTERPRISE INFORMATION SEC URITY POLICY?

Information security policy is an extremely important topic of discussion that is often not discussed at all
due to a number of reasons. Organizations often find that after they create and implement their Enterprise
Information Security Policy (EISP) security architecture, they tend to put it on the back burner until the time
comes to update it for compliance purposes. This shouldn’t be the case though.
Ponemon detailed in a 2018 report that a single ransomware attack costs companies an average of
roughly $5 million, with $1.25 million being attributed to system downtime, and another $1.5 million to IT and
end-user productivity loss. Sure, ransomware attacks can happen in a myriad of unique ways, but when an
organization is collectively on the same page, it can help drive growth while protecting critical information
within your network. Let’s discuss how to configure a comprehensive, yet easy to understand EISP that can be
regularly updated as your company continues to successfully scale.
Organizational Need for IT security
According to 2018 IDG Security Priorities Study, 69% of companies see compliance mandates driving
spending. As such, we can see the benefits of having an integrated security framework woven into and across
every aspect of your evolving network. IT security has the ability to enable things like unified policy creation,
centralized orchestration, and consistent enforcement, thus bringing about positive changes in the organization
as a whole.
Enterprise Information Security Policy (EISP)
In short, an Enterprise Information Security Policy (EISP) details what a company’s philosophy is on
security and helps to set the direction, scope, and tone for all of an organization’s security efforts. This type of
management-level document is usually written by the company’s Chief Executive Officer (CEO) or Chief
Information Officer (CIO) or someone serving in that capacity. When completed, the EISP will be used as a
roadmap for the development of future security programs, setting the tone for how the company handles
specific security matters.
The EISP does the job of explaining the organization’s belief on how their security program should be
structured as it pertains to the different types of roles and responsibilities that exist in the company’s security
arena that ensure that key information is safe from an intrusion. The document should also identify the relevant
foundational principles of an effective security policy and determine the proper security levels
through security standards and guidelines. The EISP must also ensure that the appropriate responsibilities are
assigned to the applicable organizational components so that maximum security effectiveness is achieved.
Unlike other enterprise security policies, standards and procedures that need to be constantly modified,
the key elements of an Enterprise Information Security Policy will usually not need to be modified after it is
completed the first time. The only time an EISP is usually modified is if there is a change in the strategic
direction of the organization.
Statement of Purpose
Noting the specific security language that focuses on the goals of the organization within the EISP
allows the company to integrate their organizational mission statement and objectives into their functional
structure in a way that can enhance and further the organization’s purpose. The policy language of the
statement of purpose should be crafted in such a way that guarantees complete consensus amongst executives
and employees alike.
13
The statement of purpose needs to be generically stated, but still pointed enough to ensure that those
who should be held accountable for a task should institute a specific approval process for that instance. The
purpose should also showcase that the organization maintains a prominent culture that is driven by self-
discipline, attention to detail, self-inspection, and motivation. This effective organizational security stance helps
to shape the security philosophy of the organization’s IT environment which directly supports its underlying
mission and value statements.
Legal Compliance
The preferred use of an EISP will ultimately vary from one company to another based on the purpose of
the organization itself. A hospital that handles a plethora of Protected Health Information (PHI) in electronic
form may specify in their EISP that their goals are focused on safeguarding PHI against authorized access or
accidental dissemination. Denoting these goals within the basis of the EISP protects the reputation of the
company with respect to its ethical and legal responsibilities.
For example, the security policy of a company that deals exclusively with the public will have a
different approach to legal compliance via their EISP than that of a government organization that handles
sensitive and/or classified information. The EISP must address the appropriate use of penalties and disciplinary
actions based on the legal compliance requirements that its organization must adhere to. These legal compliance
policies help to guide the development of procedures and guidelines that can resolve the question of what
should be done in a specific scenario and who would then take responsibility for it.
Objectives
Organizations should strive to compose well-defined objectives concerning security and strategy within their
EISP that the entire organization is on board with implementing. Keeping these objectives simple and easy to
understand will help to smooth away any and all differences that individuals may have about the objectives and
guarantee a consensus is reached amongst security management staff. Doing this will ensure that any
dissonances in the context of the objectives are ironed out and that the organization is in prime position to
implement the plan successfully.
EISP objectives should never include the use of ambiguous expressions that can cause more confusion and
detract from the underlying goals that the executive team have set. EISP objectives should use direct language
measures that also avoids redundancy of the policy’s wording. This, too, can make the EISP objectives sound
too long-winded and out of sync with the company’s main security framework.
Formulating the EISP objectives requires the executive team to look inward on the goals of the organization
from a high level to ensure continued Integrity, Confidentiality, and Availability:
 Integrity – this objective calls for the organization to focus on the protection of information from
unauthorized access and misuse. Implementing safeguards and processes that increase the chance of
catching hackers via ongoing monitoring, testing, and training is key.
 Confidentiality – this objective calls for the protection of policies, processes, or systems from intentional or
accidental unauthorized modification. This objective is affected by both instrumentation vulnerabilities and
human error which makes developing safeguards that protect against the loss of integrity so important.
 Availability – this objective calls for the timely and reliable access to, and use of, information, no matter
what is currently affecting the world around the organization. This includes threats such as natural disasters,
hardware failures, programming errors, human errors, distributed denial of service (DDoS) attacks, and
malicious code. Organization must implement safeguards that address availability to ensure efficient and
effective emergency incident response preparedness and disaster recovery planning when the time comes.
Authority & Access Control Policy
EISPs typically adhere to a hierarchical tiered structure that ensures that lowered tiered employees are only
given access to the necessary information that pertains to their role unless otherwise specified. An EISP must
specify what level of access an executive or technology department responsible for data manipulation will have
to move data around on any type of media. This ensures that only those executives are given the authority to
make a decision on what data can be shared and with whom.
This hierarchy-based delegation of control ensures that the highest member on the access totem pole (usually
the CIO or CEO) holds the authority over specific project files belonging to a group he is appointed to, whereas
14
the systems administrator has authority solely over the system files. The hierarchy should also be structured in
a way to observe those individuals who require access on a “need-to-know” basis for particular information.
Physical or digital access to an organization’s network and servers should be configured via unique logins that
require authentication in the form of either passwords, biometrics, ID cards, or tokens. Executives must find the
perfect habitable zone within the access controls policies in the EISP to ensure those who need to use the data as
part of their job are not denied access when that time comes. Data keyholders must implement further
safeguards that focus on system monitoring of login attempts for those with the appropriate access to ensure
enterprise data security is secure at all times.
Classification of Data
Data classification helps companies to categorize their data in a way that conveys the confidentiality, integrit y,
and availability of the information. An EISP data classification policy may arrange the entire set of information
as follows:
Data Type Description
Data should be classified as Restricted when the unauthorized disclosure, alteration or

destruction of that data could cause a significant level of risk to the organization or its
Restricted
affiliates. Examples of Restricted data include data protected by state or federal privacy
Data
regulations and data protected by confidentiality agreements. The highest level of
security controls should be applied to Restricted data.
Data should be classified as Private when the unauthorized disclosure, alteration or

destruction of that data could result in a moderate level of risk to the organization or its
Private
affiliates. By default, all Institutional Data that is not explicitly classified as Restricted
Data
or Public data should be treated as Private data. A reasonable level of security controls
should be applied to Private data.
Data should be classified as Public when the unauthorized disclosure, alteration or

destruction of that data would results in little or no risk to the organization and its
Public affiliates. Examples of Public data include press releases, course information and
Data research publications. While little or no controls are required to protect the
confidentiality of Public data, some level of control is required to prevent unauthorized
modification or destruction of Public data.
Data classification policies help companies understand which data should be used by whom in which
scenarios and where those authorized data sources are located. Implementing a data classification policy
ensures that the organization can efficiently categorize and protect their critical, sensitive, and classified data.
Without these types of classification controls, sensitive data may get into the wrong hands and affect the
organization from a financial standpoint which might also affect their reputation with customers or vendors.
Developing a data classification policy will inherently serve as the foundation of your organization’s
effective security measures. Having an ironclad data classification policy in your organization’s EISP can aid
you in meeting regulatory compliance obligations as well as industry best practices and customer expectations
which can help sustain InfoSec operations well into the future.
15
Training & Awareness

Consistent cybersecurity awareness training sessions should be outlined within the EISP to engage
employees in the development of their InfoSec knowledge base. The basis of these security sessions will focus
on giving employees a high-level (yet digestible) overview of the procedures and mechanisms that are put in
place to protect the data. They should also be privy to the hierarchy to ensure that they know who to turn to
when a specific InfoSec scenario were to occur that required critical attention from the highest echelon of
executives.
These training sessions should also touch on vital topics such as data & records handling to ensure the
confidentiality and privacy of sensitive information. If your organization is customer facing or requires
employees to bring their own device (BYOD) to supplement their office communication components, these
training sessions should also cover the correct usage of resources away from the office as well. Following each
training session, make sure that all employees read and sign to acknowledge that they understand any
new policies and procedures, rather than just passively completing the course due to their job responsibilities.
Closing Thoughts
Developing a focused EISP for your organization will allow employees and executives of all levels to share
and correlate information fluidly between them and participate in a coordinated threat response when the time
comes. Organizations seeking to coordinate this level of collaboration for InfoSec tasks maintain a high level
of clarity for their objectives, understand their data classification structure, and define the applicable IT best
practices needed to develop an EISP. Following the formulation of the EISP, the company must maintain
InfoSec policies via focused training and a security awareness program to continue to optimize their
organizational efficiencies and safely sustain their level of productivity in the future.
INFORMATION SECURITY POLICY TYPES: EISP, ISSP, & SYSSP

1. Introduction
The term of security policy and the importance of information security in management or business are still not recognized by many
people in an organization, company and others. Management from all communities of interest, including general staff,
information technology, and information technology, should make policies for their organization. Policies direct how
issues should be addressed and technologies should be used. For a large company or organization, developing a single
policy document that speaks to all types of users within the organization and addresses all the information
security issues necessary maybe difficult. It should be noted that there is no single method for developing a
security policy or policies. Many factors must be taken into account, including audience type and company business and
size. This paper then will addresses the three types of security policy that must define by each management of company
or organization that are Enterprise Information Security Policies(EISP), Issue-Specific Security Policies(ISSP), and
Systems-Specific Security Policies(SysSP).
2. Definitions of Policy
In discussions of computer security, the term policy has more than one meaning. As noted in a Office of
Technology Assessment report, Information Security and Privacy in Network Environments (1994), "Security Policy
refers here to the statements made by organizations, corporations, and agencies to establish overall policy on
information access and safeguards.” Another meaning of policy comes from the book Principles of Information Security
4th Edition (2012) and refers to the “ plan or course of action that conveys instructions from an organization’s
senior management to those who make decisions, take actions, and perform other duties. ”Policy is senior management's
directives to create a computer security program, establish its goals, and assign responsibilities. The term policy
is also used to refer to the specific security rules for particular systems. Additionally, policy may refer to
entirely different matters, such as the specific managerial decisions setting an organization's e-mail privacy
policy, use of the internet policy, and others.
3. Purpose of Policy
A security policy should fulfill many purposes. The basic purposes of policy are it should:
 Protect people and information
 Set the rules for expected behavior by users, system administrators,management, and security personnel
 Authorize security personnel to monitor, probe, and investigate
 Define and authorize the consequences of violation
16
 Define the company consensus baseline stance on security

 Help minimize risk
 Help track compliance with regulations and legislation
Information security policies provide a framework for best practice that can be followed by all employees. They
help to ensure risk is minimized and that any security incidents are effectively responded to.
Besides, information security policies will also help turn staff into participants in the company’s efforts to
secure its information assets, and the process of developing these policies will help to define a company’s
information assets. Information security policy defines the organization’s attitude to information, and announces internally
and externally that information is an asset, the property of the organization, and is to be protected
from unauthorized access, modification, disclosure, and destruction
4. Types of Security Policy
4.1 Enterprise Information Security Policy (EISP)
A management official, normally the head of the organization or the senioradministration official, issues
program policy to establish (or restructure) the organization's computer security program and its basic structure.
The EISP is based on and directly supports the mission, vision, and direction of the organization. This high-level
policy defines the purpose of the program and its scope within the organization, assigns responsibilities (to the computer
security organization) for direct program implementation, as well as other responsibilities to related offices(such as the
Information Resources Management [IRM] organization) and addresses compliance issues. The EISP sets organizational strategic
directions for security and assigns resources for its implementation. The good EISP should address the following
components :
Purpose: Program policy normally includes a statement describing why the programis being established. This may include
defining the goals of the program. Security-related needs, such as integrity, availability, and confidentiality, can
form the basis oforganizational goals established in policy. For instance, in an organization responsible for maintaining large
mission-critical databases, reduction in errors, data loss, data corruption, and recovery might be specifically stressed. In
an organization responsible for maintaining confidential personal data, however, goals might emphasize stronger protection
against unauthorized disclosure.
Scope : Program policy should be clear as to which resources-including facilities, hardware, and software, information, and
personnel - the computer security program covers. In many cases, the program will encompass all systems and
organizational personnel, but this is not always true. In some instances, it may be appropriate for an
organization's computer security program to be more limited in scope.
Responsibilities : Once the computer security program is established, its management is normally assigned to
either a newly-created or existing office. The responsibilities of officials and offices throughout the organization
also need to be addressed, including line managers, applications owners, users, and the data processing. This section of the
policy statement, for example, would distinguish between the responsibilities of computer services providers
and those of the managers of applications using the provided services. The policy could also establish operational security
offices for major systems, particularly those at high risk or most critical to organizational operations. It also can
serve as the basis forestablishing employee accountability.
Compliance : The EISP typically will address two compliance issues:
1. General compliance to ensure meeting the requirements to establish a program and the responsibilities assigned therein to
various organizational components. Often an oversight office. Example, the Inspector General is assigned
responsibility for monitoring compliance, including how well the organization is implementing management's priorities for the
program.
2. The use of specified penalties and disciplinary actions. Since the securitypolicy is a high-level document, specific
penalties for various infractions arenormally not detailed here; instead, the policy may authorize the creation
ofcompliance structures that include violations and specific disciplinary actions.
4.2 Issue-Specific Security Policy (ISSP)
Different with EISP that is intended to address the broad organization wide computer security program, issue-specific
security policy (ISSP), are developed to focus on areas of current relevance and concern to an organization. Management
may find it appropriate, for example, to issue a policy on specific minimum configurations of computers to defend against
worms and viruses or the use of the internet. A policy could also be issued, for example, on prohibitions against
hacking and testing organization security controls. ISSP may also be appropriate when new issues arise, such as when
17
implementing a recently passed law requiring additional protection of particular information. EISP is usually broad enough
that it does not require much modification over time, whereas ISSP are likely to require more frequent revision
as changes in technology and related factors take place.
Like as EISP that have their own components, the good ISSP also need to includes these components :
Components with Description

Statement of Policy: Define the scope and applicability of the policy, definition of the technology addressed and
also the responsibilities of the person that in charge or included with this policy.
Authorized Access and Usage of Equipment: Exermine user access, fair and responsible use and also explain the
protection of privacy.
Prohibited Usage of Equipment: Define and explain the disruptive or misuse, offensive or harassing materials and
other restrictions.
Systems Management: Focuses on the user’s relationship to systems management. Specific rules from
management include regulating the use of email, storage of materials, virus protection, physical security and encryption.
Violations of Policy: Policy statement that should contain theprocedures for reporting violations and penalties for violations.
Limitations of Liability: The policy that state the statements of liability, for example the company will not protect the
employee who caught violate the company policy.
4.3 Systems-Specific Policy (SysSP)
While the ISSP are formalized as written documents readily identifiable as policy, systems-specific policy
(SysSP) have a different look. It’s often function as standards or procedures to be used when configuring and
maintaining the systems. It is much more focused, since it addresses only one system. System-specific security policy
includes two components: security objectives (also called managerial guidance) and operational security rules (technical
specifications). It is often accompanied by implementing procedures and guidelines.
Security Objectives : The first step in the management process is to define security objectives for the specific system. A
security objective needs to more specific, it should be concrete and well defined. It also should be stated so that it is clear that
the objective is achievable. Security objectives consist of a series of statements that describe meaningful actions
about explicit resources. These objectives should be based on system functional or mission requirements, but should
state the security actions that support the requirements.
Operational Security Rules : After management determines the security objectives, the rules for operating a
system can be laid out, for example, to define authorized and unauthorized modification. Who can used the system, what
authorized user scan access, when and where the authorized users can access from. This specificity are included in
Access Control Lists (ACL) and provides powerful control to the administrator. Besides ACL, the configuration rule
policies also can included in this components.
5. Case Study : The Implementation of EISP, ISSP and SysSP in USM ICT Security Policy .
The Centre for Knowledge, Communication, and Technology (PPKT) department has responsible for the ICT at University
Science Malaysia (USM). All the infostructure such as networking, telecommunication and also ict security were controlled by this
department. For the big organization like USM, the need and importance of ICT Security are required. Therefore, this
department had make the ICT security policy to implement in the USM management. In this ICT Security
Policy, they had implemented the component of EISP.
Information Security Policy, Standards, and Practices
An information security policy (ISP) is a set of rules, policies and procedures designed to ensure all end users
and networks within an organization meet minimum IT security and data protection security requirements.
ISPs should address all data, programs, systems, facilities, infrastructure, authorized users, third parties and
fourth parties of an organization.
What is the Purpose of an Information Security Policy?
18
An information security policy aims to enact protections and limit the distribution of data to only those with
authorized access. Organizations create ISPs to:
 Establish a general approach to information security

 Document security measures and user access control policies
 Detect and minimize the impact of compromised information assets such as misuse of data, networks,
mobile devices, computers and applications
 Protect the reputation of the organization
 Comply with legal and regulatory requirements like NIST, GDPR, HIPAA and FERPA
 Protect their customer's data, such as credit card numbers
 Provide effective mechanisms to respond to complaints and queries related to real or perceived cyber
security risks such as phishing, malware and ransomware
 Limit access to key information technology assets to those who have an acceptable use
Why is an Information Security Policy is Important?
Creating an effective information security policy and that meets all compliance requirements is a critical step in
preventing security incidents like data leaks and data breaches.
ISPs are important for new and established organizations. Increasing digitalization means every employee is
generating data and a portion of that data must be protected from unauthorized access. Depending on your
industry, it may even be protected by laws and regulations.
Sensitive data, personally identifiable information (PII), and intellectual property must be protected to a higher
standard than other data.
Whether you like it or not, information security (InfoSec) is important at every level of your organization. And
outside of your organization.
Increased outsourcing means third-party vendors have access to data too. This is why third-party risk
management and vendor risk management is part of any good information security policy. Third-party
risk, fourth-party risk and vendor risk are no joke.
What are the Key Elements of an Information Security Policy?
An information security policy can be as broad as you want it to be. It can cover IT security and/or physical
security, as well as social media usage, lifecycle management and security training. In general, an information
security policy will have these nine key elements:
1. Purpose
Outline the purpose of your information security policy which should:
 Preserve your organization's information security.

 Detect and preempt information security breaches caused by third-party vendors, misuse of networks, data,
applications, computer systems and mobile devices.
 Protect the organization's reputation
 Uphold ethical, legal and regulatory requirements
 Protect customer data and respond to inquiries and complaints about non-compliance of security
requirements and data protection
19
2. Audience
Define who the information security policy applies to and who it does not apply to. You may be tempted to say
that third-party vendors are not included as part of your information security policy.
This may not be a great idea. Third-party, fourth-party risk and vendor risk should be accounted for. Whether or
not you have a legal or regulatory duty to protect your customer's data from third-party data breaches and data
leaks isn't important. Customers may still blame your organization for breaches that were not in your total
control and the reputational damage can be huge.
3. Information Security Objectives
These are the goals management has agreed upon, as well as the strategies used to achieve them.
In the end, information security is concerned with the CIA triad:
 Confidentiality: data and information are protected from unauthorized access

 Integrity: Data is intact, complete and accurate
 Availability: IT systems are available when needed
4. Authority and Access Control Policy
This part is about deciding who has the authority to decide what data can be shared and what can't. Remember,
this may not be always up to your organization. For example, if you are the CSO at a hospital. You likely need
to comply with HIPAA and its data protection requirements. If you store medical records, they can't be shared
with an unauthorized party whether in person or online.
An access control policy can help outline the level of authority over data and IT systems for every level of your
organization. It should outline how to handle sensitive information, who is responsible for security controls,
what access control is in place and what security standards are acceptable.
It may also include a network security policy that outlines who can have access to company networks and
servers, as well as what authentication requirements are needed including strong password
requirements, biometrics, ID cards and access tokens.
In some cases, employees are contractually bound to comply with the information security policy before being
granted access to any information systems and data centers.
5. Data Classification
An information security policy must classify data into categories. A good way to classify the data is into five
levels that dictate an increasing need for protection:
1. Level 1: Public information

2. Level 2: Information your organization has chosen to keep confidential but disclosure would not cause
material harm
3. Level 3: Information has a risk of material harm to individuals or your organization if disclosed
4. Level 4: Information has a high risk of causing serious harm to individuals or your organization if disclosed
5. Level 5: Information will cause severe harm to individuals or your organization if disclosed
20
In this classification, levels 2-5 would be classified as confidential information and would need some form of
protection.
6. Data Support and Operations
Once data has been classified, you need to outline how data is each level will be handled. There are generally
three components to this part of your information security policy:
1. Data protection regulations: Organizations that store personally identifiable information (PII) or sensitive
data must be protected according to organizational standards, best practices, industry compliance standards
and regulation
2. Data backup requirements: Outlines how data is backed up, what level of encryption is used and what
third-party service providers are used
3. Movement of data: Outlines how data is communicated. Data that is deemed classified in the above data
classification should be securely communicated with encryption and not transmitted across public networks
to avoid man-in-the-middle attacks
7. Security Awareness Training
A perfect information security policy that no one follows is no better than having no policy at all. You need
your staff to understand what is required of them. Training should be conducted to inform employees of security
requirements, including data protection, data classification, access control and general security threats.
Security training should include:
 Social engineering: Teach your employees about phishing, spearphishing and other common social
engineering cyber attacks
 Clean desk policy: Laptops should be taken home and documents shouldn't be left on desks at the end of
the work day
 Acceptable usage: What can employees use their work devices and Internet for and what is restricted?
8. Responsibilities and Duties of Employees
This is where you operationalize your information security policy. This part of your information security policy
needs to outline the owners of:
 Security programs
 Acceptable use policies
 Network security
 Physical security
 Business continuity
 Access management
 Security awareness
 Risk assessments
 Incident response
 Data security
 Disaster recovery
 Incident management
9. Other Items an ISP May Include
21
Virus protection procedure, malware protection procedure, network intrusion detection procedure, remote work
procedure, technical guidelines, consequences for non-compliance, physical security requirements, references to
supporting documents, etc.
What are the Best Practices for Information Security Management?
A mature information security policy will outline or refer to the following policies:
1. Acceptable use policy (AUP): Outlines the constraints an employee must agree to use a corporate computer
and/or network
2. Access control policy (ACP): Outlines access controls to an organization's data and information systems
3. Change management policy: Refers to the formal process for making changes to IT, software development
and security
4. Information security policy: High-level policy that covers a large number of security controls
5. Incident response (IR) policy: An organized approach to how the organization will manage and remediate
an incident
6. Remote access policy: Outlines acceptable methods of remotely connecting to internal networks
7. Email/communication policy: Outlines how employees can use the business's chosen electronic
communication channel such as email, slack or social media
8. Disaster recovery policy: Outlines the organization's cybersecurity and IT teams input into an overall
business continuity plan
9. Business continuity plan (BCP): Coordinates efforts across the organization and is used in the event of a
disaster to restore the business to a working order
10. Data classification policy: Outlines how your organization classifies its data
11. IT operations and administration policy: Outlines how all departments and IT work together to meet
compliance and security requirements.
12. SaaS and cloud policy: Provides the organization with clear cloud and SaaS adoption guidelines, this helps
mitigate third-party and fourth-party risk
13. Identity access and management (IAM) policy: Outlines how IT administrators authorize systems and
applications to the right employees and how employees create passwords to comply with security standards
14. Data security policy: Outlines the technical requirements and acceptable minimum standards for data
security to comply with relevant laws and regulations
15. Privacy regulations: Outlines how the organization complies with government-enforced regulations such
as GDPR that are designed to protect customer privacy
16. Personal and mobile devices policy: Outlines if employees are allowed to use personal devices to access
company infrastructure and how to reduce the risk of exposure from employee-owned assets
WHAT IS THE PURPOSE OF AN ENTERPRISE INFORMATION SECURITY PO LICY?

Information security policy is an extremely important topic of discussion that is often not discussed at all
due to a number of reasons. Organizations often find that after they create and implement their Enterprise
Information Security Policy (EISP) security architecture, they tend to put it on the back burner until the time
comes to update it for compliance purposes. This shouldn’t be the case though.
Ponemon detailed in a 2018 report that a single ransomware attack costs companies an average of
roughly $5 million, with $1.25 million being attributed to system downtime, and another $1.5 million to IT and
end-user productivity loss. Sure, ransomware attacks can happen in a myriad of unique ways, but when an
organization is collectively on the same page, it can help drive growth while protecting critical information
within your network. Let’s discuss how to configure a comprehensive, yet easy to understand EISP that can be
regularly updated as your company continues to successfully scale.
Organizational Need for IT security
According to 2018 IDG Security Priorities Study, 69% of companies see compliance mandates driving
spending. As such, we can see the benefits of having an integrated security framework woven into and across
22
every aspect of your evolving network. IT security has the ability to enable things like unified policy creation,
centralized orchestration, and consistent enforcement, thus bringing about positive changes in the organization
as a whole.
In short, an Enterprise Information Security Policy (EISP) details what a company’s philosophy is on
security and helps to set the direction, scope, and tone for all of an organization’s security efforts. This type of
management-level document is usually written by the company’s Chief Executive Officer (CEO) or Chief
Information Officer (CIO) or someone serving in that capacity. When completed, the EISP will be used as a
roadmap for the development of future security programs, setting the tone for how the company handles
specific security matters.
The EISP does the job of explaining the organization’s belief on how their security program should be
structured as it pertains to the different types of roles and responsibilities that exist in the company’s security
arena that ensure that key information is safe from an intrusion. The document should also identify the relevant
foundational principles of an effective security policy and determine the proper security levels
through security standards and guidelines. The EISP must also ensure that the appropriate responsibilities are
assigned to the applicable organizational components so that maximum security effectiveness is achieved.
Unlike other enterprise security policies, standards and procedures that need to be constantly modified,
the key elements of an Enterprise Information Security Policy will usually not need to be modified after it is
completed the first time. The only time an EISP is usually modified is if there is a change in the strategic
direction of the organization.
Statement of Purpose
Noting the specific security language that focuses on the goals of the organization within the EISP
allows the company to integrate their organizational mission statement and objectives into their functional
structure in a way that can enhance and further the organization’s purpose. The policy language of the
statement of purpose should be crafted in such a way that guarantees complete consensus amongst executives
and employees alike.
The statement of purpose needs to be generically stated, but still pointed enough to ensure that those
who should be held accountable for a task should institute a specific approval process for that instance. The
purpose should also showcase that the organization maintains a prominent culture that is driven by self-
discipline, attention to detail, self-inspection, and motivation. This effective organizational security stance helps
to shape the security philosophy of the organization’s IT environment which directly supports its underlying
mission and value statements.
Legal Compliance
The preferred use of an EISP will ultimately vary from one company to another based on the purpose of
the organization itself. A hospital that handles a plethora of Protected Health Information (PHI) in electronic
form may specify in their EISP that their goals are focused on safeguarding PHI against authorized access or
accidental dissemination. Denoting these goals within the basis of the EISP protects the reputation of the
company with respect to its ethical and legal responsibilities.
For example, the security policy of a company that deals exclusively with the public will have a
different approach to legal compliance via their EISP than that of a government organization that handles
sensitive and/or classified information. The EISP must address the appropriate use of penalties and disciplinary
actions based on the legal compliance requirements that its organization must adhere to. These legal compliance
policies help to guide the development of procedures and guidelines that can resolve the question of what
should be done in a specific scenario and who would then take responsibility for it.
Objectives
Organizations should strive to compose well-defined objectives concerning security and strategy within their
EISP that the entire organization is on board with implementing. Keeping these objectives simple and easy to
understand will help to smooth away any and all differences that individuals may have about the objectives and
guarantee a consensus is reached amongst security management staff. Doing this will ensure that any
dissonances in the context of the objectives are ironed out and that the organization is in prime position to
implement the plan successfully.
23
EISP objectives should never include the use of ambiguous expressions that can cause more confusion and
detract from the underlying goals that the executive team have set. EISP objectives should use direct language
measures that also avoids redundancy of the policy’s wording. This, too, can make the EISP objectives sound
too long-winded and out of sync with the company’s main security framework.
Formulating the EISP objectives requires the executive team to look inward on the goals of the organization
from a high level to ensure continued Integrity, Confidentiality, and Availability:
 Integrity – this objective calls for the organization to focus on the protection of information from
unauthorized access and misuse. Implementing safeguards and processes that increase the chance of
catching hackers via ongoing monitoring, testing, and training is key.
 Confidentiality – this objective calls for the protection of policies, processes, or systems from intentional or
accidental unauthorized modification. This objective is affected by both instrumentation vulnerabilities and
human error which makes developing safeguards that protect against the loss of integrity so important.
 Availability – this objective calls for the timely and reliable access to, and use of, information, no matter
what is currently affecting the world around the organization. This includes threats such as natural disasters,
hardware failures, programming errors, human errors, distributed denial of service (DDoS) attacks, and
malicious code. Organization must implement safeguards that address availability to ensure efficient and
effective emergency incident response preparedness and disaster recovery planning when the time comes.
Authority & Access Control Policy
EISPs typically adhere to a hierarchical tiered structure that ensures that lowered tiered employees are only
given access to the necessary information that pertains to their role unless otherwise specified. An EISP must
specify what level of access an executive or technology department responsible for data manipulation will have
to move data around on any type of media. This ensures that only those executives are given the authority to
make a decision on what data can be shared and with whom.
This hierarchy-based delegation of control ensures that the highest member on the access totem pole (usually
the CIO or CEO) holds the authority over specific project files belonging to a group he is appointed to, whereas
the systems administrator has authority solely over the system files. The hierarchy should also be structured in
a way to observe those individuals who require access on a “need-to-know” basis for particular information.
Physical or digital access to an organization’s network and servers should be configured via unique logins that
require authentication in the form of either passwords, biometrics, ID cards, or tokens. Executives must find the
perfect habitable zone within the access controls policies in the EISP to ensure those who need to use the data as
part of their job are not denied access when that time comes. Data keyholders must implement further
safeguards that focus on system monitoring of login attempts for those with the appropriate access to ensure
enterprise data security is secure at all times.
Classification of Data
Data classification helps companies to categorize their data in a way that conveys the confidentiality, integrity,
and availability of the information. An EISP data classification policy may arrange the entire set of information
as follows:
Data Type Description
Data should be classified as Restricted when the unauthorized disclosure, alteration or

destruction of that data could cause a significant level of risk to the organization or its
Restricted
affiliates. Examples of Restricted data include data protected by state or federal privacy
Data
regulations and data protected by confidentiality agreements. The highest level of
security controls should be applied to Restricted data.
24
Data should be classified as Private when the unauthorized disclosure, alteration or

destruction of that data could result in a moderate level of risk to the organization or its
Private
affiliates. By default, all Institutional Data that is not explicitly classified as Restricted
Data
or Public data should be treated as Private data. A reasonable level of security controls
should be applied to Private data.
Data should be classified as Public when the unauthorized disclosure, alteration or

destruction of that data would results in little or no risk to the organization and its
Public affiliates. Examples of Public data include press releases, course information and
Data research publications. While little or no controls are required to protect the
confidentiality of Public data, some level of control is required to prevent unauthorized
modification or destruction of Public data.
Data classification policies help companies understand which data should be used by whom in which
scenarios and where those authorized data sources are located. Implementing a data classification policy
ensures that the organization can efficiently categorize and protect their critical, sensitive, and classified data.
Without these types of classification controls, sensitive data may get into the wrong hands and affect the
organization from a financial standpoint which might also affect their reputation with customers or vendors.
Developing a data classification policy will inherently serve as the foundation of your organization’s
effective security measures. Having an ironclad data classification policy in your organization’s EISP can aid
you in meeting regulatory compliance obligations as well as industry best practices and customer expectations
which can help sustain InfoSec operations well into the future.
Training & Awareness
Consistent cybersecurity awareness training sessions should be outlined within the EISP to engage
employees in the development of their InfoSec knowledge base. The basis of these security sessions will focus
on giving employees a high-level (yet digestible) overview of the procedures and mechanisms that are put in
place to protect the data. They should also be privy to the hierarchy to ensure that they know who to turn to
when a specific InfoSec scenario were to occur that required critical attention from the highest echelon of
executives.
These training sessions should also touch on vital topics such as data & records handling to ensure the
confidentiality and privacy of sensitive information. If your organization is customer facing or requires
employees to bring their own device (BYOD) to supplement their office communication components, these
training sessions should also cover the correct usage of resources away from the office as well. Following each
training session, make sure that all employees read and sign to acknowledge that they understand any
new policies and procedures, rather than just passively completing the course due to their job responsibilities.
Closing Thoughts
Developing a focused EISP for your organization will allow employees and executives of all levels to share
and correlate information fluidly between them and participate in a coordinated threat response when the time
comes. Organizations seeking to coordinate this level of collaboration for InfoSec tasks maintain a high level
of clarity for their objectives, understand their data classification structure, and define the applicable IT best
practices needed to develop an EISP. Following the formulation of the EISP, the company must maintain
InfoSec policies via focused training and a security awareness program to continue to optimize their
organizational efficiencies and safely sustain their level of productivity in the future.
INFORMATION SECURITY POLICY TYPES: EISP, ISSP, & SYSSP

5. Introduction
25
The term of security policy and the importance of information security in management or business are still not recognized by many
people in an organization, company and others. Management from all communities of interest, including general staff,
information technology, and information technology, should make policies for their organization. Policies direct how
issues should be addressed and technologies should be used. For a large company or organization, developing a single
policy document that speaks to all types of users within the organization and addresses all the information
security issues necessary maybe difficult. It should be noted that there is no single method for developing a
security policy or policies. Many factors must be taken into account, including audience type and company business and
size. This paper then will addresses the three types of security policy that must define by each management of company
or organization that are Enterprise Information Security Policies(EISP), Issue-Specific Security Policies(ISSP), and
Systems-Specific Security Policies(SysSP).
6. Definitions of Policy
In discussions of computer security, the term policy has more than one meaning. As noted in a Office of
Technology Assessment report, Information Security and Privacy in Network Environments (1994), "Security Policy
refers here to the statements made by organizations, corporations, and agencies to establish overall policy on
information access and safeguards.” Another meaning of policy comes from the book Principles of Information Security
4th Edition (2012) and refers to the “ plan or course of action that conveys instructions from an organization’s
senior management to those who make decisions, take actions, and perform other duties. ”Policy is senior management's
directives to create a computer security program, establish its goals, and assign responsibilities. The term policy
is also used to refer to the specific security rules for particular systems. Additionally, policy may refer to
entirely different matters, such as the specific managerial decisions setting an organization's e-mail privacy
policy, use of the internet policy, and others.
7. Purpose of Policy
A security policy should fulfill many purposes. The basic purposes of policy are it should:
 Protect people and information
 Set the rules for expected behavior by users, system administrators,management, and security personnel
 Authorize security personnel to monitor, probe, and investigate
 Define and authorize the consequences of violation
 Define the company consensus baseline stance on security
 Help minimize risk
 Help track compliance with regulations and legislation
Information security policies provide a framework for best practice that can be followed by all employees. They
help to ensure risk is minimized and that any security incidents are effectively responded to.
Besides, information security policies will also help turn staff into participants in the company’s efforts to
secure its information assets, and the process of developing these policies will help to define a company’s
information assets. Information security policy defines the organization’s attitude to information, and announces internally
and externally that information is an asset, the property of the organization, and is to be protected
from unauthorized access, modification, disclosure, and destruction
8. Types of Security Policy
A management official, normally the head of the organization or the senioradministration official, issues
program policy to establish (or restructure) the organization's computer security program and its basic structure.
The EISP is based on and directly supports the mission, vision, and direction of the organization. This high-level
policy defines the purpose of the program and its scope within the organization, assigns responsibilities (to the computer
security organization) for direct program implementation, as well as other responsibilities to related offices(such as the
Information Resources Management [IRM] organization) and addresses compliance issues. The EISP sets organizational strategic
directions for security and assigns resources for its implementation. The good EISP should address the following
components :
Purpose: Program policy normally includes a statement describing why the programis being established. This may include
defining the goals of the program. Security-related needs, such as integrity, availability, and confidentiality, can
form the basis oforganizational goals established in policy. For instance, in an organization responsible for maintaining large
mission-critical databases, reduction in errors, data loss, data corruption, and recovery might be specifically stressed. In
26
an organization responsible for maintaining confidential personal data, however, goals might emphasize stronger protection
against unauthorized disclosure.
Scope : Program policy should be clear as to which resources-including facilities, hardware, and software, information, and
personnel - the computer security program covers. In many cases, the program will encompass all systems and
organizational personnel, but this is not always true. In some instances, it may be appropriate for an
organization's computer security program to be more limited in scope.
Responsibilities : Once the computer security program is established, its management is normally assigned to
either a newly-created or existing office. The responsibilities of officials and offices throughout the organization
also need to be addressed, including line managers, applications owners, users, and the data processing. This section of the
policy statement, for example, would distinguish between the responsibilities of computer services providers
and those of the managers of applications using the provided services. The policy could also establish operational security
offices for major systems, particularly those at high risk or most critical to organizational operations. It also can
serve as the basis forestablishing employee accountability.
Compliance : The EISP typically will address two compliance issues:
3. General compliance to ensure meeting the requirements to establish a program and the responsibilities assigned therein to
various organizational components. Often an oversight office. Example, the Inspector General is assigned
responsibility for monitoring compliance, including how well the organization is implementing management's priorities for the
program.
4. The use of specified penalties and disciplinary actions. Since the securitypolicy is a high-level document, specific
penalties for various infractions arenormally not detailed here; instead, the policy may authorize the creation
ofcompliance structures that include violations and specific disciplinary actions.
4.2 Issue-Specific Security Policy (ISSP)

Different with EISP that is intended to address the broad organization wide computer security program, issue-specific
security policy (ISSP), are developed to focus on areas of current relevance and concern to an organization. Management
may find it appropriate, for example, to issue a policy on specific minimum configurations of computers to defend against
worms and viruses or the use of the internet. A policy could also be issued, for example, on prohibitions against
hacking and testing organization security controls. ISSP may also be appropriate when new issues arise, such as when
implementing a recently passed law requiring additional protection of particular information. EISP is usually broad enough
that it does not require much modification over time, whereas ISSP are likely to require more frequent revision
as changes in technology and related factors take place.
Like as EISP that have their own components, the good ISSP also need to includes these components :
Components with Description

Statement of Policy: Define the scope and applicability of the policy, definition of the technology addressed and
also the responsibilities of the person that in charge or included with this policy.
Authorized Access and Usage of Equipment: Exermine user access, fair and responsible use and also explain the
protection of privacy.
Prohibited Usage of Equipment: Define and explain the disruptive or misuse, offensive or harassing materials and
other restrictions.
Systems Management: Focuses on the user’s relationship to systems management. Specific rules from
management include regulating the use of email, storage of materials, virus protection, physical security and encryption.
Violations of Policy: Policy statement that should contain theprocedures for reporting violations and penalties for violations.
Limitations of Liability: The policy that state the statements of liability, for example the company will not protect the
employee who caught violate the company policy.
4.3 Systems-Specific Policy (SysSP)
While the ISSP are formalized as written documents readily identifiable as policy, systems-specific policy
(SysSP) have a different look. It’s often function as standards or procedures to be used when configuring and
maintaining the systems. It is much more focused, since it addresses only one system. System-specific security policy
27
includes two components: security objectives (also called managerial guidance) and operational security rules (technical
specifications). It is often accompanied by implementing procedures and guidelines.
Security Objectives : The first step in the management process is to define security objectives for the specific system. A
security objective needs to more specific, it should be concrete and well defined. It also should be stated so that it is clear that
the objective is achievable. Security objectives consist of a series of statements that describe meaningful actions
about explicit resources. These objectives should be based on system functional or mission requirements, but should
state the security actions that support the requirements.
Operational Security Rules : After management determines the security objectives, the rules for operating a
system can be laid out, for example, to define authorized and unauthorized modification. Who can used the system, what
authorized user scan access, when and where the authorized users can access from. This specificity are included in
Access Control Lists (ACL) and provides powerful control to the administrator. Besides ACL, the configuration rule
policies also can included in this components.
5. Case Study : The Implementation of EISP, ISSP and SysSP in USM ICT Security Policy .
The Centre for Knowledge, Communication, and Technology (PPKT) department has responsible for the ICT at University
Science Malaysia (USM). All the infostructure such as networking, telecommunication and also ict security were controlled by this
department. For the big organization like USM, the need and importance of ICT Security are required. Therefore, this
department had make the ICT security policy to implement in the USM management. In this ICT Security
Policy, they had implemented the component of EISP.
28

Unit 2

Uploaded by

Copyright:

Available Formats

Unit 2

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Unit 2

Uploaded by

Copyright:

Available Formats

INFORMATION SECURITY UNIT-2

LEGAL, ETHICAL, AND PROFESSIONAL ISSUES IN INFORMATION SECURITY

Relevant U.S. Laws – General

 Privacy of Customer Information Section of Common Carrier Regulations

Table 2.5.2.1 Key U.S Laws of Interest to Information Security Professionals

Export and Espionage Laws

 Economic Espionage Act (EEA) of 1996

 Intellectual property is recognized as a protected asset in the US

 Most organizations develop and formalize a body of expectations called policy

 Distributed to all individuals who are expected to comply with it

Ethical Concepts in Information Security

Ethics and Education

 Laws, policies, and technical controls are all examples of deterrents

 Laws and policies only deter if three conditions are present:

What Defines Ethics in Information Security?

Why is Ethics Significant to Information Security?

What are the Key Principles in Computer Ethics?

Are Cybersecurity Ethics and Infosec Ethics the Same?

What are the Risks of Bad Ethics or Lapses in Ethics of Infosec?

How Can I Train my CISO and Employees to be Ethical?

How Can I Imbue my Organization’s Culture with Ethics?

What Is Information Security Governance?

Encompassing these priorities are four components of security governance:

Some of the challenges of security governance implementation include the following:

What is Information Security Governance?

Understanding Information Security Governance

 National Institute for Security and Technology (NIST) publication 800-53

Why Is Information Security Governance Important?

How to Implement Information Security Governance

How Information Security Governance Works

WHAT IS THE PURPOSE OF AN ENTERPRISE INFORMATION SEC URITY POLICY?

Data Type Description

Data should be classified as Restricted when the unauthorized disclosure, alteration or

Data should be classified as Private when the unauthorized disclosure, alteration or

Data should be classified as Public when the unauthorized disclosure, alteration or

Training & Awareness

INFORMATION SECURITY POLICY TYPES: EISP, ISSP, & SYSSP

 Define the company consensus baseline stance on security

Components with Description

Information Security Policy, Standards, and Practices

What is the Purpose of an Information Security Policy?

 Establish a general approach to information security

Why is an Information Security Policy is Important?

What are the Key Elements of an Information Security Policy?

Outline the purpose of your information security policy which should:

 Preserve your organization's information security.

3. Information Security Objectives

In the end, information security is concerned with the CIA triad:

 Confidentiality: data and information are protected from unauthorized access

4. Authority and Access Control Policy

1. Level 1: Public information

6. Data Support and Operations

7. Security Awareness Training

Security training should include:

8. Responsibilities and Duties of Employees

9. Other Items an ISP May Include

What are the Best Practices for Information Security Management?

WHAT IS THE PURPOSE OF AN ENTERPRISE INFORMATION SECURITY PO LICY?

Data Type Description