Resource - Information Security Program Guide: Company Policies, Departmental Procedures, IT Standards & Guidelines

Information Security Program Guide: Company Policies, Departmental Procedures, IT Standards & Guidelines — read online for free the complete book (whole text) full work

Below is the text of the book, divided by pages. System saving the place of the last page read, allows you to conveniently read the book "Information Security Program Guide: Company Policies, Departmental Procedures, IT Standards & Guidelines" online for free, without having to search again every time where you left off. Put a bookmark, and you can go to the page where you finished reading at any time.

Light

Font size:

↓

↑

Georgia Tahoma Arial Verdana

Reset

Interval:

↓

↑

Bookmark:

Make

1234567...13

Information Security Policy

Introduction

1.1 Background/Purpose:

A downloadable word document version can be found by joining the free cyber security resource community at www.cybersecurityresource.com .

Once youre a community member select the Information Security Program Guide from the store and use coupon code INFOSECPOLICY to access your download.

(the Company) has a substantial investment in its information systems and applications. These systems also present a substantial exposure to the Company should the information they contain be disclosed, corrupted or should the Company be denied access to the applications for any period of time.

The Company takes this subject very seriously. As a result, the failure of any individual to comply with this Policy, and the standards and procedures documented within, may result in corrective action, up to and including termination.

1.2 Policy Introduction:

This policy applies to all information systems and applications. Every application and the systems that support it must document, implement and monitor an approved level of controls suitable for the specific application. These controls must be reviewed by the <> on a periodic basis to ensure they meet corporate, ethical and legislative requirements. The controls are divided into the following areas:

Identify - Develop the organi z ational understand i ng to manage security risk to s ystems, assets, da t a,
and capabilities.

Protect - Develop and implement the appropriate safeguards to ensure delivery of critical
infrastructure services.

Detect - D evelop and i m plement the appropr i ate a ctivities to identi f y t h e o c curre n ce of a security
event.

Respond - Develop and implement the appropria t e activities to take a ction regarding a detected
security e v ent.

Recover - De v elop and i mplement the appropria t e activities to maintain plans for resilience and to
restore a n y c apabilities or serv i c e s that were impai r ed due to a security event.

Identify

Develop the organi z ational understand i ng to manage security risk to s ystems, assets, da t a, and capabilities. The activities in the Iden t i f y F unction a r e foundat i onal for e f f e ctive use of t he F ramework. Un d erstand i ng the business context, the resou r ces that support critical functions and the re l ated security risks enab l es an organi z ation to fo c us and prioriti z e its efforts, consistent with its risk management strate g y and busi n ess needs. Examples of outcome Ca tegories within this F unction include: Asset Man a gement; B usiness Environment; Governa n ce; R isk Asses s ment; and R isk Manag e ment S trate g y.

2.1 Asset Management

The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to business objectives and the organizations risk strategy.

• Physical devices and systems within the organization are inventoried
  • Appropriate and adequate Operations staff are assigned to locate, track, count, and document all critical infrastructure network hardware, computing systems, physical machines, virtual machines, virtual and physical network circuits, staff devices, mobile devices, receivers, transmitters, antennas, optical systems, transportation systems and any system or device that has computing, storage and network connectivity functions.
  • Identify and maintain a current inventory of its information assets and system configurations, including interconnections with other internal and external systems, in order to know at all times the assets that support its business functions and processes.
  • Operations staff assigned to inventory critical infrastructure network devices and systems utilize easy to operate database software and technologies that can automate, scale and report on the adding and removing of networked resources that are inventoried. This automated system should detect the presence of unauthorized hardware
• Software platforms and applications within the organization are inventoried
  • An approved list of software shall be maintained by the IT department. Any request for software installation that is not included in the approved software list, shall require approval from Chief Information Security Officer.
  • A software license inventory shall be maintained as proof and evidence of ownership of software licenses, master disks, manuals, etc.
  • Appropriate and adequate Operations staff are assigned to locate, track, count, and document all network critical infrastructure software, critical applications, OSS software, (i.e.; Billing & Customer Account DBs), network/customer databases, mobile employee supporting systems, and stored information that is critical to the operations of the organization.
  • Operations staff assigned to inventory network critical software use easy to operate database software and technologies that can automate, scale and report on the adding and removing of network software resources that are inventoried. This automated system can detect the presence of unauthorized software, databases and applications.
• Organizational communication and data flows are mapped
  • Groups of information services, users, and information systems are segregated on the network.
  • Risks to the companys information and information assets from business processes involving external parties are identified, and appropriate controls implemented before granting access.
  • Networks are managed and controlled in order to protect the company from threats and to maintain security for the systems and applications using the network, including information in transit.
  • Security features, service levels, and management requirements of all network services are identified and included in any network services agreement, whether these services are provided in-house or outsourced.
  • Computing systems, information storage systems, databases, VPNs, LANs, VLANs,WANs, VPNs, Text/SMS, Email systems can all have the scheduling, credentials of access, business process rules, and security controls built into them, such that personnel and authorized external entities can access the correct information in timely manner according to the documented communications flow.
  • The company management team determine "wh o internally" needs to know "what information, "when" and "how" will that information be delivered. The organization can take into account "all" internal communications with: Tiers I,II,III of operations, network ops centers, engineering, technical management, program/project management, customer service, IT, sales, C suite officials, billing, accounting, human resources, security offices etc.
• External information systems are catalogued
  • Any computing asset employed by Third Parties that connects to the Company network or handles Internal Use Information shall conform to Company Security Policies.
  • Maintenance and service shall be controlled and conducted by authorized personnel in accordance with supplier-recommended intervals, insurance policies and the organizations maintenance program, taking into account whether this maintenance is performed by personnel on site or external to the organization.

Next page

1234567...13

Light

Font size:

↓

↑

Georgia Tahoma Arial Verdana

Reset

Interval:

↓

↑

Bookmark:

Make

Similar books «Information Security Program Guide: Company Policies, Departmental Procedures, IT Standards & Guidelines»

Look at similar books to Information Security Program Guide: Company Policies, Departmental Procedures, IT Standards & Guidelines. We have selected literature similar in name and meaning in the hope of providing readers with more options to find new, interesting, not yet read works.

Federal Aviation Administration

FAR/AIM 2022: Up-to-Date FAA Regulations / Aeronautical Information Manual

Hemang Doshi

Certified Information Security Manager Exam Prep Guide: Aligned with the latest edition of the CISM Review Manual to help you pass the exam with confidence

John Jackson

Corporate Cybersecurity: Identifying Risks and the Bug Bounty Program

Robert Johnson

Security Policies and Implementation Issues (Information Systems Security & Assurance)

Safari an OReilly Media Company.

Defensive Security Handbook: Best Practices for Securing Infrastructure, 1st Edition

Chuvakin Anton

PCI Compliance

Berlin Amanda

Defensive security handbook best practicesfor securing infrastructure

John G. Iannarelli

Information Governance and Security: Protecting and Managing Your Companys Proprietary Information

Mike Wills

(ISC)² SSCP systems security certified practitioner official study guide

American Camp Association

American Camp Associations Accreditation Process Guide

Nancy Campbell

Writing effective policies and procedures: a step-by-step resource for clear communication

Bruce A. Shuman

Library Security and Safety Handbook: Prevention, Policies and Procedures

Discussion, reviews of the book Information Security Program Guide: Company Policies, Departmental Procedures, IT Standards & Guidelines and just readers' own opinions. Leave your comments, write what you think about the work, its meaning or the main characters. Specify what exactly you liked and what you didn't like, and why you think so.