Term saying the organization must be able to demonstrate that relevant policy has been made readily available for review by employee
Term saying the organization must be able to demonstrate that it disseminated document in intelligible form, including versions for illiterate, non-English reading, and reading-impaired employees
Term saying the organization must be able to demonstrate that employees understand requirements and content of policy
Term saying the organization must be able to demonstrate that employees agree to comply with policy through act or affirmation
Term saying that organization must be able to demonstrate policy has been uniformly enforced
a set of guidelines or instructions an organization's senior management implements to regulate activities of members of organization who make decisions, take actions, and perform other duties; are organizational laws
more detailed statements of what must be done to comply with policy
is also known as a general security policy, IT security policy, or information security policy. This policy sets the strategic direction, scope, and tone for all security efforts within the organization.
Statement of Purpose, IT security elements, need for IT security, IT security responsibilities and roles, reference to other IT standards and guidelines
Components of the EISP
Policy that addresses specific areas of technology, requires frequent updates, and contains an issue statement on the organization's position on an issue.
statement of policy, authorized access, prohibited usage, systems management, violations, review and modification, limitations of liability
Components of the ISSP
Managerial guidance SysSPs
SysSp group created by management to guide implementation and configuration of technology as well as to regulate behavior of people in the organization
Technical specifications SysSPs
SysSp group that uses set of configurations to implement managerial policy
Access control lists
policies that consist of the access control lists, matrices, and capability tables governing the rights and privileges of a particular user to a particular system.
Configuration rule policies
policies that comprise specific configuration codes entered into security systems to guide execution of the system
is basis for design, selection, and implementation of all security program elements including policy implementation, ongoing policy management, risk management programs, education and training programs, technological controls, and maintenance of security program
is outline of overall information security strategy and roadmap for planned changes to the organization's information security environment
ISO 27000 series
One of the most widely referenced and often discussed security models is the Information Technology - Code of Practice for Information Security Management, which was originally published as the British Standard BS 7799.
sphere of security
the foundation of the security framework. It represents the fact that information is under attack from a variety of sources.
Defense in depth
One of the foundations of security architectures is the requirement to implement security in layers. It requires that the organization establish sufficient security controls and safeguards, so that an intruder faces multiple layers of controls.
The point at which an organization's security protection ends, and the outside world begins
is a control measure designed to reduce the incidences of accidental security breaches by employees. These programs are designed to supplement the general education and training programs in place to educate staff on information security. Consists of three elements: security education, security training, and security awareness
contingency planning (CP)
the entire planning conducted by the organization to prepare for, react to and recover from events that threaten the security of information and information assets in the organization, and the subsequent restoration to normal modes of business operations.
incident response planning (IRP)
the planning process associated with the identification, classification, response, and recovery from an incident.
disaster recovery planning (DRP)
the planning process associated with the preparation for and recovery from a disaster, whether natural or man-made.
Business Continuity Planning (BCP)
the planning process associated with ensuring that critical business functions continue if a catastrophic incident or disaster occurs.
Business Impact Analysis (BIA)
an investigation and assessment of the impact that various attacks can have on the organization, and takes up where the Risk Assessment process leaves off.
a detailed description of the activities that occur during an attack, must be developed for every serious threat the organization faces and are used to determine the extent of damage that could result to a business unit if the attack were successful.
attack scenario end case
the final result of the business impact analysis, which utilizes attack success scenarios to estimate the cost of the best, worst, and most likely cases.
incident response (IR)
the set of activities taken to plan for, detect, and correct the impact of an asset on information assets.
Business continuity planning
this outlines reestablishment of critical business operations during a disaster that impacts operations at the primary site. If a disaster has rendered the current location of the business unusable for continued operations, there must be a plan to allow the business to continue to function.
This includes the actions taken during and after a disaster, and focuses first and foremost on the people involved and addresses the viability of the business.