Which of the following is not one of the “five pillars of the ia model”

2

3

4

World Headquarters Jones & Bartlett Learning 5 Wall Street Burlington, MA 01803 978-443-5000 info@jblearning.com www.jblearning.com

Jones & Bartlett Learning books and products are available through most bookstores and online booksellers. To contact Jones & Bartlett Learning directly, call 800-832-0034, fax 978-443-8000, or visit our website, www.jblearning.com.

Substantial discounts on bulk quantities of Jones & Bartlett Learning publications are available to corporations, professional associations, and other qualified organizations. For details and specific discount information, contact the special sales department at Jones & Bartlett Learning via the above contact information or send an email to specialsales@jblearning.com.

Copyright © 2015 Jones & Bartlett Learning, LLC, an Ascend Learning Company

All rights reserved. No part of the material protected by this copyright may be reproduced or utilized in any form, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the copyright owner.

Security Policies and Implementation Issues, Second Edition is an independent publication and has not been authorized, sponsored, or otherwise approved by the owners of the trademarks or service marks referenced in this product. The screenshots in this product are for educational and instructive purposes only. All trademarks displayed are the trademarks of the parties noted therein. Such use of trademarks is not an endorsement by said parties of Jones & Bartlett Learning, its products, or its services, nor should such use be deemed an endorsement by Jones & Bartlett Learning of said third party’s products or services.

Microsoft, Internet Explorer, Windows, Microsoft Office, Microsoft Security Development Lifecycle, and Microsoft Baseline Security Analyzer are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. (ISC)2, CISSP, ISSAP, ISSMP, ISSEP, CSSLP, CCFP, CAP, SSCP, and CBK are registered and service marks of (ISC)2, Inc.

This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. It is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional service. If legal advice or other expert assistance is required, the service of a competent professional person should be sought.

Production Credits Chief Executive Officer: Ty Field President: James Homer Chief Product Officer: Eduardo Moura SVP, Curriculum Solutions: Christopher Will Director of Sales, Curriculum Solutions: Randi Roger Author: vLab Solutions, LLC, David Kim, President Editorial Management: High Stakes Writing, LLC, Lawrence J. Goodrich, President

5

mailto:info@jblearning.com
http://www.jblearning.com
http://www.jblearning.com
mailto:specialsales@jblearning.com
Copy Editor, High Stakes Writing: Ruth Walker Product Manager, Custom and Curriculum Solutions: Rainna Erikson Associate Director of Production: Julie Bolduc Composition: Gamut+Hue, LLC Rights & Photo Research Manager: Lauren Miller Manufacturing and Inventory Control Supervisor: Amy Bacus Senior Marketing Manager: Andrea DeFronzo Cover Design: Scott Moden Cover Image: © HunThomas/ShutterStock, Inc. Chapter Opener Image: © Rodolfo Clix/Dreamstime.com Printing and Binding: Edwards Brothers Malloy Cover Printing: Edwards Brothers Malloy

ISBN: 978-1-284-05599-3

Library of Congress Cataloging-in-Publication Data not available at time of printing

6048

Printed in the United States of America 18 17 16 15 14 10 9 8 7 6 5 4 3 2 1

6

http://Clix/Dreamstime.com
Contents

Preface

Acknowledgments

PART ONE The Need for IT Security Policy Frameworks

CHAPTER 1 Information Systems Security Policy Management

What Is Information Systems Security?

Information Systems Security Management Life Cycle

What Is Information Assurance?

Confidentiality Integrity Nonrepudiation

What Is Governance?

Why Is Governance Important?

What Are Information Systems Security Policies?

Where Do Information Systems Security Policies Fit Within an Organization?

Why Information Systems Security Policies Are Important

Policies That Support Operational Success Challenges of Running a Business Without Policies Dangers of Not Implementing Policies Dangers of Implementing the Wrong Policies

When Do You Need Information Systems Security Policies?

Business Process Reengineering (BPR) Continuous Improvement Making Changes in Response to Problems

Why Enforcing and Winning Acceptance for Policies Is Challenging

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 1 ASSESSMENT

7

CHAPTER 2 Business Drivers for Information Security Policies

Why Are Business Drivers Important?

Maintaining Compliance

Compliance Requires Proper Security Controls Security Controls Must Include Information Security Policies Relationship Between Security Controls and Information Security Policy

Mitigating Risk Exposure

Educate Employees and Drive Security Awareness Prevent Loss of Intellectual Property Protect Digital Assets Secure Privacy of Data Lower Risk Exposure

Minimizing Liability of the Organization

Separation Between Employer and Employee Acceptable Use Policies Confidentiality Agreement and Nondisclosure Agreement Business Liability Insurance Policies

Implementing Policies to Drive Operational Consistency

Forcing Repeatable Business Processes Across the Entire Organization Differences Between Mitigating and Compensating Controls Policies Help Prevent Operational Deviation

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 2 ASSESSMENT

ENDNOTES

CHAPTER 3 U.S. Compliance Laws and Information Security Policy Requirements

U.S. Compliance Laws

What Are U.S. Compliance Laws? Why Did U.S. Compliance Laws Come About?

Whom Do the Laws Protect?

Which Laws Require Proper Security Controls to Be Included in Policies?

Which Laws Require Proper Security Controls for Handling Privacy Data?

Aligning Security Policies and Controls with Regulations

Industry Leading Practices and Self-Regulation

Some Important Industry Standards

Payment Card Industry Data Security Standard (PCI DSS)

8

Statement on Standards for Attestation Engagements No. 16 (SSAE16) Information Technology Infrastructure Library (ITIL)

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 3 ASSESSMENT

ENDNOTES

CHAPTER 4 Business Challenges Within the Seven Domains of IT Responsibility

The Seven Domains of a Typical IT Infrastructure

User Domain Workstation Domain LAN Domain LAN-to-WAN Domain WAN Domain Remote Access Domain System/Application Domain

Information Security Business Challenges and Security Policies That Mitigate Risk Within the Seven Domains

User Domain Workstation Domain LAN Domain LAN-to-WAN Domain WAN Domain Remote Access Domain System/Application Domain

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 4 ASSESSMENT

CHAPTER 5 Information Security Policy Implementation Issues

Human Nature in the Workplace

Basic Elements of Motivation Personality Types of Employees Leadership, Values, and Ethics

Organizational Structure

Flat Organizations Hierarchical Organizations

The Challenge of User Apathy

The Importance of Executive Management Support

9

Selling Information Security Policies to an Executive Before, During, and After Policy Implementation

The Role of Human Resources Policies

Relationship Between HR and Security Policies Lack of Support

Policy Roles, Responsibilities, and Accountability

Change Model Responsibilities During Change Roles and Accountabilities

When Policy Fulfillment Is Not Part of Job Descriptions

Impact on Entrepreneurial Productivity and Efficiency

Applying Security Policies to an Entrepreneurial Business

Tying Security Policy to Performance and Accountability

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 5 ASSESSMENT

ENDNOTE

PART TWO Types of Policies and Appropriate Frameworks

CHAPTER 6 IT Security Policy Frameworks

What Is an IT Policy Framework?

What Is a Program Framework Policy or Charter?

Industry-Standard Policy Frameworks What Is a Policy? What Are Standards? What Are Procedures? What Are Guidelines?

Business Considerations for the Framework

Roles for Policy and Standards Development and Compliance

Information Assurance Considerations

Confidentiality Integrity Availability

Information Systems Security Considerations

Unauthorized Access to and Use of the System

10

Unauthorized Disclosure of the Information Disruption of the System or Services Modification of Information Destruction of Information Resources

Best Practices for IT Security Policy Framework Creation

Case Studies in Policy Framework Development

Private Sector Case Study Public Sector Case Study Private Sector Case Study

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 6 ASSESSMENT

CHAPTER 7 How to Design, Organize, Implement, and Maintain IT Security Policies

Policies and Standards Design Considerations

Architecture Operating Model Principles for Policy and Standards Development The Importance of Transparency with Regard to Customer Data Types of Controls for Policies and Standards

Document Organization Considerations

Sample Templates

Considerations for Implementing Policies and Standards

Building Consensus on Intent Reviews and Approvals Publishing Your Policies and Standards Library Awareness and Training

Policy Change Control Board

Business Drivers for Policy and Standards Changes

Maintaining Your Policies and Standards Library

Updates and Revisions

Best Practices for Policies and Standards Maintenance

Case Studies and Examples of Designing, Organizing, Implementing, and Maintaining IT Security Policies

Private Sector Case Study Public Sector Case Study

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

11

CHAPTER 7 ASSESSMENT

CHAPTER 8 IT Security Policy Framework Approaches

IT Security Policy Framework Approaches

Risk Management and Compliance Approach The Physical Domains of IT Responsibility Approach

Roles, Responsibilities, and Accountability for Personnel

The Seven Domains of a Typical IT Infrastructure Organizational Structure Organizational Culture

Separation of Duties

Layered Security Approach Domain of Responsibility and Accountability

Governance and Compliance

IT Security Controls IT Security Policy Framework

Best Practices for IT Security Policy Framework Approaches

What Is the Difference Between GRC and ERM?

Case Studies and Examples of IT Security Policy Framework Approaches

Private Sector Case Study Public Sector Case Study Critical Infrastructure Case Study

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 8 ASSESSMENT

ENDNOTE

CHAPTER 9 User Domain Policies

The Weakest Link in the Information Security Chain

Social Engineering Human Mistakes Insiders

Seven Types of Users

Employees Systems Administrators Security Personnel Contractors Vendors

12

Guests and General Public Control Partners Contingent System

Why Govern Users with Policies?

Acceptable Use Policy (AUP)

The Privileged-Level Access Agreement (PAA)

Security Awareness Policy (SAP)

Best Practices for User Domain Policies

Understanding Least Access Privileges and Best Fit Privileges

Case Studies and Examples of User Domain Policies

Government Laptop Compromised The Collapse of Barings Bank, 1995 Unauthorized Access to Defense Department Systems

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 9 ASSESSMENT

CHAPTER 10 IT Infrastructure Security Policies

Anatomy of an Infrastructure Policy

Format of a Standard

Workstation Domain Policies

LAN Domain Policies

LAN-to-WAN Domain Policies

WAN Domain Policies

Remote Access Domain Policies

System/Application Domain Policies

Telecommunications Policies

Best Practices for IT Infrastructure Security Policies

Case Studies and Examples of IT Infrastructure Security Policies

Private Sector Case Study Public Sector Case Study Critical Infrastructure Case Study

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

13

CHAPTER 10 ASSESSMENT

CHAPTER 11 Data Classification and Handling Policies and Risk Management Policies

Data Classification Policies

When Is Data Classified or Labeled? The Need for Data Classification Legal Classification Schemes Military Classification Schemes Business Classification Schemes Developing a Customized Classification Scheme Classifying Your Data

Data Handling Policies

The Need for Policy Governing Data at Rest and in Transit Policies, Standards, and Procedures Covering the Data Life Cycle

Identifying Business Risks Related to Information Systems

Types of Risk Development and Need for Policies Based on Risk Management

Risk and Control Self-Assessment

Risk Assessment Policies

Risk Exposure Prioritization of Risk, Threat, and Vulnerabilities Risk Management Strategies Vulnerability Assessments Vulnerability Windows Patch Management

Quality Assurance Versus Quality Control

Best Practices for Data Classification and Risk Management Policies

Case Studies and Examples of Data Classification and Risk Management Policies

Private Sector Case Study Public Sector Case Study Private Sector Case Study

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 11 ASSESSMENT

CHAPTER 12 Incident Response Team (IRT) Policies

Incident Response Policy

What Is an Incident?

14

Incident Classification

The Response Team Charter

Incident Response Team Members

Responsibilities During an Incident

Users on the Front Line System Administrators Information Security Personnel Management Support Services Other Key Roles

Business Impact Analysis (BIA) Policies

Component Priority Component Reliance Impact Report Development and Need for Policies Based on the BIA

Procedures for Incident Response

Discovering an Incident Reporting an Incident Containing and Minimizing the Damage Cleaning Up After the Incident Documenting the Incident and Actions Analyzing the Incident and Response Creating Mitigation to Prevent Future Incidents Handling the Media and Deciding What to Disclose Business Continuity Planning Policies Dealing with Loss of Systems, Applications, or Data Availability

Response and Recovery Time Objectives Policies Based on the BIA

Best Practices for Incident Response Policies

Disaster Recovery Plan Policies

Disaster Declaration Policy Assessment of the Disaster’s Severity and of Potential Downtime

Case Studies and Examples of Incident Response Policies

Private Sector Case Study Public Sector Case Study Critical Infrastructure Case Study

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 12 ASSESSMENT

15

PART THREE Implementing and Maintaining an IT Security Policy Framework

CHAPTER 13 IT Security Policy Implementations

Simplified Implementation Process

Target State

Distributed Infrastructure Outdated Technology Lack of Standardization Throughout the IT Infrastructure

Executive Buy-in, Cost, and Impact

Executive Management Sponsorship Overcoming Nontechnical Hindrances

Policy Language

Employee Awareness and Training

Organizational and Individual Acceptance Motivation Developing an Organization-Wide Security Awareness Policy Conducting Security Awareness Training Sessions Human Resources Ownership of New Employee Orientation Review of Acceptable Use Policies (AUPs)

Information Dissemination—How to Educate Employees

Hard Copy Dissemination Posting Policies on the Intranet Using E-mail Brown Bag Lunches and Learning Sessions

Policy Implementation Issues

Governance and Monitoring

Best Practices for IT Security Policy Implementations

Case Studies and Examples of IT Security Policy Implementations

Private Sector Case Study Public Sector Case Study

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 13 ASSESSMENT

CHAPTER 14 IT Security Policy Enforcement

Organizational Support for IT Security Policy Enforcement

16

Executive Management Sponsorship Governance Versus Management Organizational Structure The Hierarchical Organizational Approach to Security Policy

Implementation Front-Line Managers’ and Supervisors’ Responsibility and Accountability Grass-Roots Employees

An Organization’s Right to Monitor User Actions and Traffic

Compliance Law: Requirement or Risk Management?

What Is Law and What Is Policy?

What Security Controls Work to Enforce Protection of Privacy Data?

What Automated Security Controls Can Be Implemented Through Policy?

What Manual Security Controls Assist with Enforcement?

Legal Implications of IT Security Policy Enforcement

Who Is Ultimately Accountable for Risk, Threats, and Vulnerabilities?

Where Must IT Security Policy Enforcement Come From?

Best Practices for IT Security Policy Enforcement

Case Studies and Examples of Successful IT Security Policy Enforcement

Private Sector Case Study Public Sector Case Study No. 1 Public Sector Case Study No. 2

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 14 ASSESSMENT

CHAPTER 15 IT Policy Compliance and Compliance Technologies

Creating a Baseline Definition for Information Systems Security

Policy-Defining Overall IT Infrastructure Security Definition Vulnerability Window and Information Security Gap Definition

Tracking, Monitoring, and Reporting IT Security Baseline Definition and Policy Compliance

Automated Systems Random Audits and Departmental Compliance Overall Organizational Report Card for Policy Compliance

Automating IT Security Policy Compliance

Automated Policy Distribution Configuration Management and Change Control Management Collaboration and Policy Compliance Across Business Areas Version Control for Policy Implementation Guidelines and Compliance

17

Compliance Technologies and Solutions

COSO Internal Controls Framework SCAP SNMP WBEM Digital Signing

Best Practices for IT Security Policy Compliance Monitoring

Case Studies and Examples of Successful IT Security Policy Compliance Monitoring

Private Sector Case Study Public Sector Case Study Nonprofit Sector Case Study

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 15 ASSESSMENT

APPENDIX A Answer Key

APPENDIX B Standard Acronyms

Glossary of Key Terms

References

Index

18

To my wife, Lin, and my children

19

Preface

Purpose of This Book This book is part of the Information Systems Security & Assurance Series from Jones & Bartlett Learning (www.jblearning.com). Designed for courses and curriculums in IT Security, Cybersecurity, Information Assurance, and Information Systems Security, this series features a comprehensive, consistent treatment of the most current thinking and trends in this critical subject area. These titles deliver fundamental information-security principles packed with real-world applications and examples. Authored by Certified Information Systems Security Professionals (CISSPs), they deliver comprehensive information on all aspects of information security. Reviewed word for word by leading technical experts in the field, these books are not just current, but forward-thinking—putting you in the position to solve the cybersecurity challenges not just of today, but of tomorrow, as well.

Implementing IT security policies and related frameworks for an organization can seem like an overwhelming task, given the vast number of issues and considerations. Security Policies and Implementation Issues demystifies this topic, taking you through a logical sequence of discussions about major concepts and issues related to security policy implementation.

It is a unique book that offers a comprehensive, end-to-end view of information security policies and frameworks from the raw organizational mechanics of building to the psychology of implementation. This book presents an effective balance between technical knowledge and soft skills, both of which are necessary for understanding the business context and psychology of motivating people and leaders. It also introduces you in clear, simple terms to many different concepts of information security such as governance, regulator mandates, business drivers, legal considerations, and more. If you need to understand how information risk is controlled, or are responsible for oversight of those who do, you will find this book helpful.

Part 1 of this book focuses on why private and public sector organizations need an information technology (IT) security framework consisting of documented policies, standards, procedures, and guidelines. As businesses, organizations, and governments change the way they operate and organize their overall information systems security strategy, one of the most critical security controls is documented IT security policies.

Part 2 defines the major elements of an IT security policy framework. Many organizations, under recent compliance laws, must now define, document, and implement information security policies, standards, procedures, and guidelines. Many organizations and businesses conduct a risk assessment to determine their current risk exposure within their IT infrastructure. Once these security gaps and threats are identified, design and implementation of more-stringent information security policies are put in place. This can provide an excellent starting point for the creation of an IT security policy framework.

Policies are only as effective as the individuals who create them and enforce them within an organization. Part 3 of this book presents how to successfully implement and enforce policies

20

http://www.jblearning.com
within an organization. Emerging techniques and automation of policy enforcement are also examined.

This book is a valuable resource for students, security officers, auditors, and risk leaders who want to understand what a successful implementation of security policies and frameworks looks like.

Learning Features The writing style of this book is practical and conversational. Step-by-step examples of information security concepts and procedures are presented throughout the text. Each chapter begins with a statement of learning objectives. Illustrations are used both to clarify the material and to vary the presentation. The text is sprinkled with Notes, Tips, FYIs, Warnings, and sidebars to alert the reader to additional helpful information related to the subject under discussion. Chapter Assessments appear at the end of each chapter, with solutions provided in the back of the book.

Chapter summaries are included in the text to provide a rapid review or preview of the material and to help students understand the relative importance of the concepts presented.

Audience The material is suitable for undergraduate or graduate computer science majors or information science majors, students at a two-year technical college or community college who have a basic technical background, or readers who have a basic understanding of IT security and want to expand their knowledge.

21

Acknowledgments

I would like to thank Jones & Bartlett Learning for the opportunity to write this book and be a part of the Information Systems Security & Assurance Series project. I offer my deep appreciation to Lawrence Goodrich and Ruth Walker, who did an excellent job coordinating this book despite many challenges. Their guidance, patience, and support were instrumental to its success.

A special thank you goes to Mike Chapple, whose experience and debate on risk topics was very helpful. His thought-provoking challenges were much appreciated. Thanks also to Mark Merkow and Darril Gibson for contributing content to this book.

I would also like to thank the staff and volunteers at ISACA, who dedicate themselves to providing global thought leadership to help define best practices for information audit, security, and risk management. Special thanks to Julia Fullerton who helped facilitate access to ISACA IP material.

My gratitude to Gary Dickhart, Customer Advisory Group, who passed on lessons to me over the years on driving for high-quality results and never forgetting about compassionate management. His lessons on teamwork and motivation are insightful.

Additional thanks to a myriad of friends and supporters at E&Y and KPMG who offered suggestions and insights. The caliber of these professionals is amazing, and the experiences they freely share extremely valuable.

—Rob Johnson

22

About the Author

ROB JOHNSON has more than 22 years of experience in information risk, IT audit, privacy, and security management. He has a diverse background that includes hands-on operational experience, as well as providing strategic risk assessment and support to leadership and board-level audiences. He is currently a Senior Vice President at Bank of America in the Global Technology Organization.

Johnson has held senior roles in large global companies, large domestic banks, and as product architect for an international software company. Several of the key risk-related roles he has held include Head of Information and Operations Risk Management for ING U.S. Financial Services, Senior Partner at Aegis USA Executive Consulting, First Vice President and IT Senior Audit Director for WAMU, Vice President/CISO for Security Services at First Bank Systems, and Product Owner and Architect for SAP/ERP solutions at Bindview.

Johnson lives in the Seattle with his wife and children. He holds a BS in interdisciplinary studies from the University of Houston with a concentration in computer science and mathematics. He is a Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), Certified in Risk and Information Systems Control (CRISC), and Certified in the Governance of Enterprise IT (CGEIT). Rob has served on several international education and standards committees, including as one of 19 former members of the prestigious international C5 Task Force that developed COBIT 5.

23

PART ONE

The Need for IT Security Policy Frameworks

CHAPTER 1 Information Systems Security Policy Management

CHAPTER 2 Business Drivers for Information Security Policies

CHAPTER 3 U.S. Compliance Laws and Information Security Policy Requirements

CHAPTER 4 Business Challenges Within the Seven Domains of IT Responsibility

CHAPTER 5 Information Security Policy Implementation Issues

24

CHAPTER

1 Information Systems Security Policy Management

FOR AN ORGANIZATION TO ACHIEVE ITS GOALS, business processes must be reliable, keep costs low, and obey the law. Most organizations use policies and procedures to tell employees what the business wants to achieve and how to perform tasks to get there. This way the business can achieve consistent quality in delivering its products and services.

In a perfect world, policies and procedures would always produce the perfect product. This requires employees to follow policies and procedures at all times. However, we do not live in a perfect world. Neither policies nor procedures are always perfect, nor do employees always follow them. Anyone who has cashed a check at a bank understands what a basic procedure looks like. A check-cashing procedure includes checking the person’s identification and the account balance. The bank’s policy states that when a teller follows the check-cashing procedure, and the account has sufficient funds, the teller may give the cash to the account holder. The teller must follow this procedure to protect the customer and the bank from fraud.

Business processes are highly dependent on timely information. It’s hard to find an organization that does not rely on technology, whether it sells hamburgers, cashes checks for people, or is building the next-generation airliner. Processes use technology and information to make business decisions, keep food safe, track inventory, and control manufacturing, among other things. The more complex these technologies become, the more vulnerable they become to disruptions. The more people rely on them in their daily lives, the more vulnerable they become when these technologies do not work. You can think of a policy as a business requirement on actions or processes performed by an organization. An example is the requirement to that a customer provide a receipt when returning an item to a retail store for a refund. That may be a simple example, but essentially, it places a control on the return process. In the same manner, security policies require placement of controls in processes specific to the information system.

One of the challenges organizations face is the cost of keeping pace with ever-changing technology. This includes the need to update policies at the same time the organization updates technology. Failure to do so could create weaknesses in the system. These weaknesses could make business processes and information vulnerable to loss or theft.

In the creation of information systems security policies, also called security policies, IS policies, or ISS policies, many factors drive policy requirements. These requirements include organization size, processes, type of information, and laws and regulations. Once an organization creates policies, it will face both technical and human challenges implementing them. The keys to implementing policies are employee acceptance and management enforcement. A policy is worth little or nothing if no one follows it.

25

Chapter 1 Topics This chapter covers the following topics and concepts:

• What information systems security is • How information assurance plays an important role in securing information • What governance is • Why governance is important • What information systems security policies are and how they differ from standards and

procedures • Where policies fit within an organization’s structure to effectively reduce risk • Why security policies are important to business operations, and how business changes affect

policies • When information systems security policies are needed • Why enforcing, and winning acceptance for, security policies is challenging

Chapter 1 Goals When you complete this chapter, you will be able to:

• Compare and contrast information systems security and information assurance • Compare and contrast quality control and quality assurance • Describe information systems security policies and their importance in organizations • Describe governance and its importance in maintaining compliance with laws • Explain what policies are and how they fit into an organization • Compare and contrast threat, vulnerability, and risk

What Is Information Systems Security?

A good definition of information systems security (ISS) is the act of protecting information and the systems that store and process it. This protection is against risks that would lead to unauthorized access, use, disclosure, disruption, modification, or destruction of information. It’s not just the information inside a computer you need to protect. Information needs to be protected in any form. Some examples include print and removable storage such as optical DVD drives. In fact, well- structured security policies ensure protection of information in any location and in any form. Many organizations come up with effective ways of protecting buildings, people, and other physical resources. And most people understand the need to lock their doors at home at night. Yet they may not always have the same instincts or habits when it comes to handling data. And sometimes the rules for dealing with information are unclear.