Menu
Home
Log in / Register
 
Home arrow Computer Science arrow The InfoSec Handbook
< Prev   CONTENTS   Next >

Policies, Procedures, and Processes

Information security is incomplete without clearly defined policies which guide employees, contractors, and suppliers. Policies provide guidance to everyone and depict the commitment of management to them. The following are some of the policies that are important to most of the organizations, as per ISO/IEC 27001:2013:2

• Information Security Management Systems Policy

• Access Control Policy

• Information Classification and Handling Policy

• Physical and Environmental Security Policy

• Acceptable Use of Assets Policy

• Clear Desk and Clear Screen Policy

• Privacy and Protection of Personally Identifiable Information Policy

• Mobile Devices and Teleworking Policy

• Backup Policy

• Restrictions on Software Installations and Use Policy

• Protection from Malware Policy

• Management of Technical Vulnerabilities Policy

• Information Transfer Policy

• Communications Security Policy

• Cryptographic Controls Policy

• Policy on Supplier Relationships

Some of the other standards like Information technology – Service management – Part 1: Service management system requirements (ISO/IEC 20000-1:2011) call for more policies.

Procedures and processes describe how the intent of the policies is to be implemented. They detail step-by-step instructions on how to carry on the work so that the intentions of these policies are adhered to.

Training the employees, contractors, and suppliers on the relevant policies, procedures, and processes is a must in order to ensure that these are understood. With the ever-evolving business environment, challenging risks, and changing technologies policies need to be reviewed and kept current. Thus, the training process should be ongoing and continual.

Technology

Technology is another important pillar. There are many good and competing technologies available to protect information security. All these technologies need to be explored within the entire context of the organization to ensure they seamlessly integrate with the overall fulfilment of both business and information security requirements. Technology should fulfil the requirement of information security architecture. Business and its risks and opportunities should be the main focus and technology should be an enabler rather than the end to meet the same.

Some of the important technologies available are auto monitoring and alerting systems, logging systems, detecting systems, preventive systems, and recovery systems. Examples are firewalls, IDS/IPS, and anti-virus software.

 
Found a mistake? Please highlight the word and press Shift + Enter  
< Prev   CONTENTS   Next >
 
Subjects
Accounting
Business & Finance
Communication
Computer Science
Economics
Education
Engineering
Environment
Geography
Health
History
Language & Literature
Law
Management
Marketing
Philosophy
Political science
Psychology
Religion
Sociology
Travel