Study Notes on Policy Development and Security Policies

Chapter 1: Introduction

  • Policy
        - Definition: A formal set of rules and guidelines that govern behavior in an organization.
        - Purpose: Protects data, systems, and users.
        - Components:
            - Set of Rules
            - Guidelines
            - Protection of Data
            - Protection of Systems
            - Protection of Users
  • Life Cycle Policy Development
        - Steps involved in developing a policy:
            1. Identify the Need
                - Determine what problem is being solved through the policy.
                - Example of problems:
                    - Data breaches
                    - Password security policies
                    - Security policies for organizations like schools against outsiders.
            2. Research Requirements
            3. Draft Policy
            4. Review and Approval
            5. Implementation
            6. Enforcement
            7. Review and Update

Chapter 2: Draft The Policy

  • No ID, No Entry
        - Emphasis on the significance of rules in policy drafting.
  • Research and Gather Requirements
        - Gather specific requirements for the policy after identifying the issue to resolve.
  • Draft the Policy
        - Important to create clear, simple, and enforceable rules.
  • Review and Approve
        - Steps include management, organizational, legal team, or IT checking the draft.
        - Dependence on established policies for clear guidelines.
  • Implementation
        - Finalize the draft and implement within the organization, involving all employees, including guards and students.

Chapter 3: Update Policy

  • Training
        - Provide necessary training regarding the policy and its security measures.
  • Enforcement
        - Monitoring compliance with the policy, ensuring awareness of potential consequences for violation.
        - Examples of consequences include suspension and termination.
        - Policy enforcement is essential after its implementation, including ongoing monitoring of employees.
  • Review and Update
        - Policies should not be viewed as a one-time creation; they require evolving and regular updating.     - Reemphasis on the life cycle of policy development: Identify, Research, Draft, Review, Implement, Enforce, and Review & Update.

Chapter 4: Specific Security Policy

  • Purpose
        - Protect sensitive data within the organization and ensure compliance.
        - Reduce risks related to sensitive data by guiding user behavior via guidelines within the policy.
  • Types of Information Assurance Policies
        - Policies categorized based on levels and specific focuses.
        - Enterprise Information Security Policy (EISP)
            - High-level policy that sets the overall direction created by top management for enforcement across the organization.
        - Issue Specific Security Policy (ISSP)
            - Targeted policy that addresses specific issues/topics (e.g., email usage policy, upload picture policies).

Chapter 5: System Specific Policy

  • Definition
        - Technical, detailed guidelines specifically for IT staff and system administrators.
  • Examples
        - Firewall rules
        - Security rules
        - Backup rules
        - Password standards and configuration guidelines
  • Summary of Policies
        - EISP: Focus on the broader picture.
        - ISSP: Specific rules tied to particular topics.
        - System Specific Policy (SysSP): Detailed instructions necessary for maintaining systems.

Chapter 6: Acceptable Use Policy (AUP)

  • Definition
        - The Acceptable Use Policy outlines how users can correctly utilize the organization’s IT resources.
        - Clarification that having access does not permit usage in any manner.
  • Components of AUP
        - Allowed Activities: Work-related tasks, browsing, accessing company systems.
        - Prohibited Activities:
            - Downloading illegal content
            - Accessing inappropriate websites
            - Installing unauthorized software
        - Importance of maintaining organizational integrity through clearly outlined AUP, which includes rules around computers, printers, and other IT resources.

Chapter 7: Possible Breach Data

  • User Responsibilities
        - Importance of protecting passwords and utilizing IT resources responsibly.
  • Monitoring Statement
        - Users should be aware that their activities may be monitored to ensure compliance with policies.
  • Consequences for Breaches
        - Consequences can range from warnings to suspension and even termination for policy violations.
  • Components of AUP:
        - Allowed Activities
        - Prohibited Activities
        - User Responsibilities
        - Monitoring Statements
        - Consequences of Violations

Chapter 8: Conclusion

  • Summary
        - Highlights the importance of structured processes in policy development.
        - Reviews types of policies such as EISP, ISSP, and AUP.
        - Emphasizes the obligations of users regarding acceptable IT resource usage.
  • Submission Reminder
        - A reminder for BSIT students to submit their AUP sample in Google Classroom by the deadline, including purpose, scope, acceptable use, prohibited activities, user responsibilities, monitoring, privacy, confinement of violations, and consequences.