MCA – IInd Sem.
, Session 2023-24
Cyber Security (Code KCAA01)
Lecture Notes (Part-1)
Unit-4
Introduction to Security Policies
Faculty:
Dr. Brijesh Kr. Gupta
Professor, MCA Dept.
SPOC- Cyber Security
� Need for Information Security Policy
• An information security policy helps
organizations define procedures for identifying
and mitigating vulnerabilities and risks.
• It also details quick responses to minimize
damage during a security incident.
• Information security policies define what is
required of an organization’s employees from a
security perspective
��• Information security policies reflect the risk
appetite of an organization’s management and
should reflect the managerial mindset when it
comes to security
• Information security policies provide direction
upon which a control framework can be built to
secure the organization against external
and internal threats
• Information security policies are a mechanism to
support an organization’s legal and ethical
responsibilities
• Information security policies are a mechanism to
hold individuals accountable for compliance with
expected behaviors with regard to information
security
� Information Security Standards - ISO
• ISO was establishes in 1947
• ISO/IEC 27001 is an international standard to
manage information security.
• The standard was originally published jointly by
the International Organization for
Standardization (ISO) and the International
Electrotechnical Commission (IEC) in 2005,
revised in 2013, and again most recently in
2022.
• ITU – Int’l Telecommunication Union
�ISO:27002
• ISO27002 is a “Code of Practice” recommending a large number of
information security controls.
• Control objectives throughout the standard are generic, high-level
statements of business requirements for securing or protecting
information assets.
• The numerous information security controls recommended by the
standard are meant to be implemented in the context of an ISMS, in order
to address risks and satisfy applicable control objectives systematically.
• Compliance with ISO27002 implies that the organization has adopted a
comprehensive, good practice approach to securing information.
� ISO / IEC 27002: 2005
ISO/IEC 27002:2005 establishes guidelines and
general principles for initiating, implementing,
maintaining, and improving information
security management in an organization.
The objectives outlined provide general
guidance on the commonly accepted goals of
information security management.
� Ten Security Domains:
• Security Policy
• Organization for Information Security
• Asset Management
• Human Resource Security
• Physical and Environmental Security
• Communication & Operations Mgmt.
• Access Control
• Information System Acquisition, development, and
maintenance
• Info. Sec. Incident Mgmt.
• Business Continuity Mgmt. and Compliance
�ISO:27001
• ISO27001 formally specifies how to establish an Information
Security Management System (ISMS).
• The adoption of an ISMS is a strategic decision.
• The design and implementation of an organization’s ISMS is
influenced by its business and security objectives, its security risks
and control requirements, the processes employed and the size
and structure of the organization: a simple situation requires a
simple ISMS.
• The ISMS will evolve systematically in response to changing risks.
• Compliance with ISO27001 can be formally assessed and certified.
A certified ISMS builds confidence in the organization’s approach
to information security management among stakeholders.
� ISO / IEC 27001:2005
• ISO/IEC 27001:2005 specifies the requirements
for establishing, implementing, operating,
monitoring, reviewing, maintaining and
improving a documented Information Security
Management System within the context of the
organization's overall business risks.
• This standard defines a Cyclic Model known as
Plan-Do- Check-Act (PDCA) Model.
��� PDCA Model
• The "Plan-Do-Check-Act" (PDCA) model
applies at different levels throughout the
ISMS (cycles within cycles).
• The same approach is used for quality
management in ISO9000.
• The diagram illustrates how an ISMS takes
as input the information security
requirements and expectations and
through the PDCA cycle produces
managed information security outcomes
that satisfy those requirements and
expectations.
� PDCA Model
• Plan (establish the ISMS)
– Establish ISMS policy, objectives, processes and procedures relevant to
managing risk and improving information security to deliver results in
accordance with an organization’s overall policies and objectives.
• Do (implement and operate the ISMS)
– Implement and operate the ISMS policy, controls, processes and
procedures.
• Check (monitor and review the ISMS)
– Assess and, where applicable, measure process performance against
ISMS policy, objectives and practical experience and report the results to
management for review.
• Act (maintain and improve the ISMS)
– Take corrective and preventive actions, based on the results of the
internal ISMS audit and management review or other relevant
information, to achieve continual improvement of the ISMS.
� ISO / IEC 15408
ISO/IEC 15408-1, also known as the Common
Criteria for Information Technology Security
Evaluation (referred to more simply as
Common Criteria or CC), establishes the
general concepts and principles of IT security
evaluation and specifies the general model of
evaluation given by various parts of the
standard.
� ISO / IEC 13335
• ISO/IEC IS 13335-2 is an ISO standard
describing the complete process of
information security Risk Management in a
generic manner.
• The annexes contain examples of information
security Risk Assessment approaches as well
as lists of possible threats, vulnerabilities and
security controls.
� Various Security Policies & Their
Review Process
A security review is a collaborative process used
to identify security-related issues, determine
the level of risk associated with those issues,
and make informed decisions about risk
mitigation or acceptance.
1. The WWW Policy
2. The e-mail Security Policy
3. The Corporate Policy
� WWW Security Policy
• A website security policy is a set of rules and
guidelines that define how your website
should protect itself and its users from cyber
attacks. It covers aspects such as access
control, encryption, backup, monitoring, and
incident response.
� E-Mail Security Policy
• An email security policy defines rules about the
use of email within an organization.
• By laying out the rules and expectations for the
use of corporate email, an organization can
manage its email security risks by educating its
users and encouraging them to properly use
corporate email systems.
� Ten Commandments of E-Mail
• Demonstrating the same respect thy gives to
verbal communications
• Check spellings, grammar, read the message
thrice before sending
• Not forwarding any chain letter
• Not transmitting unsolicited mass e-mail ( spam)
• Not sending hateful, harassing or threatening
messages to fellow users
• Not sending any message that support illegal or
unethical activities
�• E-mail is equivalent of a electronic post card,
and will not be used to transmit sensitive
information.
• Not using e-mail broadcasting facilities except
for making appropriate announcements
• Keep personal e-mail use to a minimum
• Keeping policies and procedures sacred and
help administrators protect from abusers
�� Corporate Policy
• A security policy is a document that spells
out principles and strategies for an
organization to maintain the security of its
information assets.
• A corporate policy comprises:
Company Mission Statement
Company Objectives
Principles on the Basis of which Strategic
Decisions are made
�References:
• ISO/IEC 27001:2005. Information Technology - Security
Techniques – Information Security Management Systems –
Requirements. Known as ISO 27001.
• ISO/IEC 27002:2005. Information Technology - Security
Techniques - Code of Practice for Information Security
Management. Known as ISO 27002
• S. P. Tripathi, et al. “Introduction to Information Security and
Cyber Laws” Dream Tech Press. ISBN: 9789351194736, 2015.
• Brijesh Kr. Gupta, “Planning Phase ISO 27001
Scope, Role & Responsibilities in ISMS”, During ITU Program
Session on Information Security Internal Audit, 30 May, 2019,
ALTTC, Ghaziabad, INDIA
