Robert Johnson - Security Policies and Implementation Issues (Information Systems Security & Assurance)

World Headquarters

Jones & Bartlett Learning

5 Wall Street

Burlington MA 01803

978-443-5000

www.jblearning.com

Jones & Bartlett Learning books and products are available through most bookstores and online booksellers. To contact Jones & Bartlett Learning directly, call 800-832-0034, fax 978-443-8000, or visit our website, www.jblearning.com.

Substantial discounts on bulk quantities of Jones & Bartlett Learning publications are available to corporations, professional associations, and other qualified organizations. For details and specific discount information, contact the special sales department at Jones & Bartlett Learning via the above contact information or send an email to .

Copyright 2022 by Jones & Bartlett Learning, LLC, an Ascend Learning Company

All rights reserved. No part of the material protected by this copyright may be reproduced or utilized in any form, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the copyright owner.

The content, statements, views, and opinions herein are the sole expression of the respective authors and not that of Jones & Bartlett Learning, LLC. Reference herein to any specific commercial product, process, or service by trade name, trademark, manufacturer, or otherwise does not constitute or imply its endorsement or recommendation by Jones & Bartlett Learning, LLC and such reference shall not be used for advertising or product endorsement purposes. All trademarks displayed are the trademarks of the parties noted herein. Security Policies & Implementation Issues, Third Edition is an independent publication and has not been authorized, sponsored, or otherwise approved by the owners of the trademarks or service marks referenced in this product.

There may be images in this book that feature models; these models do not necessarily endorse, represent, or participate in the activities represented in the images. Any screenshots in this product are for educational and instructive purposes only. Any individuals and scenarios featured in the case studies throughout this product may be real or fictitious, but are used for instructional purposes only.

Production Credits

VP, Product Management: Amanda Martin

Director of Product Management: Laura Pagluica

Product Manager: Edward Hinman

Content Strategist: Melissa Duffy

Content Coordinator: Paula-Yuan Gregory

Development Editor: Ginny Munroe

Technical Editor: Rob Shimonski

Project Manager: Lori Mortimer

Project Specialist: John Coakley

Digital Project Specialist: Rachel DiMaggio

Marketing Manager: Michael Sullivan

Production Services Manager: Colleen Lamy

Product Fulfillment Manager: Wendy Kilborn

Composition: Exela Technologies

Project Management: Exela Technologies

Cover Design: Briana Yates

Text Design: Kristin E. Parker

Media Development Editor: Faith Brosnan

Rights Specialist: James Fortney

Cover Image (Title Page, Part Opener, Chapter Opener): obpcnh/Shutterstock

Printing and Binding: LSC Communications

Library of Congress Cataloging-in-Publication Data

Names: Johnson, Rob (Robert), author. | Easttom, Chuck, author.

Title: Security policies and implementation issues / Robert Johnson, Chuck Easttom.

Description: [Third edition] | Burlington, MA : Jones & Bartlett Learning, [2021] | Includes bibliographical references and index.

Identifiers: LCCN 2020018594 | ISBN 9781284199840 (paperback)

Subjects: LCSH: Computer security.

Classification: LCC QA76.9.A25 J64 2021 | DDC 005.8dc23

LC record available at https://lccn.loc.gov/2020018594

6048

Printed in the United States of America

24 23 22 21 20 10 9 8 7 6 5 4 3 2 1

obpcnh/Shutterstock

obpcnh/Shutterstock

To my wife Teresa, who is always very supportive of all I do.
Dr. Chuck Easttom

obpcnh/Shutterstock

Purpose of This Book

This book is part of the Information Systems Security & Assurance Series from Jones & Bartlett Learning (www.jblearning.com). Designed for courses and curriculums in IT Security, Cybersecurity, Information Assurance, and Information Systems Security, this series features a comprehensive, consistent treatment of the most current thinking and trends in this critical subject area. These titles deliver fundamental information-security principles packed with real-world applications and examples. Authored by Certified Information Systems Security Professionals (CISSPs), they deliver comprehensive information on all aspects of information security. Reviewed word for word by leading technical experts in the field, these books are not just current, but forward thinkingputting you in the position to solve the cybersecurity challenges not just of today, but of tomorrow, as well.

Implementing IT security policies and related frameworks for an organization can seem like an overwhelming task, given the vast number of issues and considerations. Security Policies and Implementation Issues demystifies this topic, taking you through a logical sequence of discussions about major concepts and issues related to security policy implementation.

It is a unique book that offers a comprehensive, end-to-end view of information security policies and frameworks from the raw organizational mechanics of building to the psychology of implementation. This book presents an effective balance between technical knowledge and soft skills, both of which are necessary for understanding the business context and psychology of motivating people and leaders. It also introduces you in clear, simple terms to many different concepts of information security, such as governance, regulator mandates, business drivers, legal considerations, and more. If you need to understand how information risk is controlled, or are responsible for oversight of those who do, you will find this book helpful.

Part 1 of this book focuses on why private and public sector organizations need an information technology (IT) security framework consisting of documented policies, standards, procedures, and guidelines. As businesses, organizations, and governments change the way they operate and organize their overall information systems security strategy, one of the most critical security controls is documented IT security policies.

Part 2 defines the major elements of an IT security policy framework. Many organizations, under recent compliance laws, must now define, document, and implement information security policies, standards, procedures, and guidelines. Many organizations and businesses conduct a risk assessment to determine their current risk exposure within their IT infrastructure. Once these security gaps and threats are identified, design and implementation of more-stringent information security policies are put in place. This can provide an excellent starting point for the creation of an IT security policy framework.