Aksum University Dept.

of Computing Technology  1

Chapter Six

Contents

Information security  Planning for security.

policies and practices  Information security policy standards.
 Security education, training and awareness.

6. Information security standrads and policies

A standard is a document that establishes a uniform access technical specification,
process and procedures on how and when an information system can be accessed.
Policies are rules and standard documents about information access in an organization.
It is important to develop standards or documents within an organization regarding the
access and the use of information assets. Awareness and training programs are equally
important if conducting regularly. Some of the risks may come from user unawareness.
Security education is vital to company’s employee, it can reduce the risks originated
from unintentional human errors, such as opening spams, or email attachments without
reading or looking and verifying their origin.

6.1. Security Best Practices

As you noticed from the previous chapters, there is a rich collection of standards
security tools on the system and information security landscape because as technology
evolves, the security situation becomes more complex, and it grows more so every day.
With these changes, however, some trends and approaches to security remain the same.
One of these constants is having a sound strategy of dealing with the changing security
landscape. Developing such a security strategy involves keeping an eye on the reality of
the changing technology scene and rapidly increasing security threats. To keep abreast
of all these changes, security experts and security managers must know how and what
to protect and what controls to put in place and at what time. It takes security
management, planning, policy development, and the design of security procedures. It’s
important to remember and definitely understand that there is no procedure, policy, or
technology, however much you like it and trust it, that will ever be 100 %, so it is
important for and company, preferably to have a designated security person, a security
program officer, and chief security officer, under the chief information officer, to be
responsible for the security best practices.
Some of the security best practices are the following;
 Using complex passwords that meet the standards.
 Avoiding the use of default passwords.
 User training and conducting regular awareness programs to the employees of the
organization.
 Restrain from installing software from unverified publishers.
 Keeping the system software up-to-date, with bug fixes and new patches.

Information Security Chapter-6

Prepared by: - Tsehay.A
2  Information Security

An organization’s information security effort succeeds only if it operates in conjunction

with the organization’s information security policy. An information security program
begins with policy, standards, and practices, which are the foundation for the
information security architecture and blueprint. The creation and maintenance of these
elements require coordinated planning. The role of planning in the modern organization
is hard to overemphasize. All but the smallest organizations engage in some planning:
strategic planning to manage the allocation of resources and contingency planning to
prepare for the uncertainties of the business environment.
Once the organization’s overall strategic plan is translated into strategic plans for each
major division or operation, the next step is to translate these plans into tactical
objectives that move toward reaching specific, measurable, achievable, and time-bound
accomplishments.
6.2.Planning Levels

The process of strategic planning seeks to transform broad, general, sweeping

statements into more specific and applied objectives. Strategic plans are used to create
tactical plans, which are in turn used to develop operational plans.
Tactical planning focuses on shorter-term undertakings that will be completed within
one or two years. The process of tactical planning breaks each strategic goal into a
series of incremental objectives. Each objective in a tactical plan should be specific and
should have a delivery date within a year of the plan’s start. Budgeting, resource
allocation, and personnel are critical components of the tactical plan. Although these
components may be discussed in general terms at the strategic planning level, the actual
resources must be in place before the tactical plan can be translated into the operational
plan. Tactical plans often include project plans and resource acquisition planning
documents (such as product specifications), project budgets, project reviews, and
monthly and annual reports.
Because tactical plans are often created for specific projects, some organizations call
this process project planning or intermediate planning. The chief information security
officer (CISO) and the security managers use the tactical plan to organize, prioritize,
and acquire resources necessary for major projects and to provide support for the
overall strategic plan.
Managers and employees use operational plans, which are derived from the tactical
plans, to organize the ongoing, day-to-day performance of tasks. An operational plan
includes the necessary tasks for all relevant departments, as well as communication and
reporting requirements, which might include weekly meetings, progress reports, and
other associated tasks. These plans must reflect the organizational structure, with each
subunit, department, or project team conducting its own operational planning and
reporting. Frequent communication and feedback from the teams to the project
managers and/or team leaders, and then up to the various management levels, will make
the planning process as a whole more manageable and successful.

Information Security, Chapter-6

Aksum University Dept.of Computing Technology  3

6.3.Infromaton Security Plocies, Standards and Practices

Management from all communities of interest, including general staff, information

technology, and information security, must make policies the basis for all information
security planning, design, and deployment. Policies direct how issues should be
addressed and technologies should be used. Policies do not specify the proper operation
of equipment or software this information should be placed in the standards,
procedures, and practices of users’ manuals and systems documentation. In addition,
policy should never contradict law, because this can create a significant liability for the
organization. For a discussion of this issue, see the Offline box regarding Arthur
Andersen.
Information security is primarily a management problem, not a technical one, and
policy is a management tool that obliges personnel to function in a manner that
preserves the security of information assets. Security policies are the least expensive
control to execute, but the most difficult to implementproperly.
They have the lowest cost in that their creation and dissemination requires only the time
and effort of the management team. Even if the management team hires an outside
consultant to help develop policy, the costs are minimal compared to those of technical
controls. However, shaping policy is difficult because policy must:
 Never conflict with laws
 Be properly administered through dissemination and documented acceptance

Definiton
A policy is a plan or course of action that conveys instructions from an
organization’s senior management to those who make decisions, take actions, and
perform other duties. Policies are organizational laws in that they dictate acceptable
and unacceptable behavior within the organization. Like laws, policies define what
is right, what is wrong, what the penalties are for violating policy, and what the
appeal process is.Standards, on the other hand, are more detailed statements of what
must be done to comply with policy. They have the same requirements for
compliance as policies. Standards may be informal or part of an organizational
culture, as in de facto standards. Or standards may be published, scrutinized, and
ratified by a group, as in formal orde jure standards. Finally, practices, procedures,
and guidelines effectively explain how to comply with policy. Figure 5-1 shows
policies as the force that drives standards, which in turn drive practices, procedures,
and guidelines.
Policies are put in place to support the mission, vision, and strategic planning of an
organization. Themissionof an organization is a written statement of an
organization’s purpose. The visionof an organization is a written statement about
the organization’s goals—where will the organization be in five years? Strategic
planning is the process of moving the organization toward its vision. The meaning
of the term security policy depends on the context in which it is used. Governmental
agencies view security policy in terms of national security and national policies to
deal with foreign states. A security policy can also communicate a credit card
agency’s method for processing credit card numbers. In general, a security policy is
a set of rules that protect an organization’s assets. Aninformation security policy
provides rules for the protection of the information assets of the organization.

Information Security Chapter-6

Prepared by: - Tsehay.A