top of page
  • Writer's pictureLaila Alahaideb

Information Security Policy

Information Security, also known as InfoSec, refers to the policies, processes, and tools designed and deployed to protect sensitive business information and assets. InfoSec is concerned with safeguarding the confidentiality, integrity, and availability of information. InfoSec aims to achieve the right balance of the CIA triangle, which best meets the information access needs of the organization deploying it.


The CIA triangle stands for confidentiality, integrity, and availability and is a guiding model in information security. A comprehensive InfoSec strategy includes policies and security controls that minimize threats to these three crucial components. This forms the basis for the development of a secure system.


An InfoSec policy is a set of guidelines that dictate how an organization protects, manages, and distributes information. There are three types of InfoSec policies:


1. Enterprise InfoSec program (EISP): The highest-level policy shaping security philosophy.

2. Issue-specific InfoSec program (ISSP): Deals with specific issues like email privacy.

3. System-specific policies (SysSP): Covers specific or individual computer systems like firewalls and web servers.


The basic roles for shaping a policy are:


1. Policy should never conflict with the law.

2. Policy must be able to stand up in court if challenged.

3. Policy must be properly supported and administered, not just a management tool for meeting legal requirements. It's necessary to protect the organization.

The Bull's-eye model


The Bull's-eye model is a policy implementation framework that addresses issues by moving from general to specific. It starts with the Policies layer, representing the general strategic policy statement. The next layer is the Network layer, which focuses on implementing security on the network. After implementing policies and network security, the focus should be on ensuring that all critical system elements are protected, which is the System layer. The System layer is a collection of the hardware and software used to run the organization, and finally, the Application layer is a collection of application systems.


Policy refers to a collection of actions that impact decisions, and it must be easily circulated, comprehensible, agreed upon, and uniformly implemented. Policy documents serve as a significant reference point for internal audits and for resolving legal disputes related to management's due diligence. They also provide a clear statement of management's intentions.



References:

M. E. Whitman and H. J. Mattford, Management of information security

Recent Posts

See All

Comments


bottom of page