|
ISO27002/17799 (2005): 5.1 Information security
policy. Objective: To provide management direction and support for
information security in accordance with business requirements and
relevant laws and regulations. Management should set a clear policy
direction in line with business objectives and demonstrate support
for, and commitment to, information security through the issue and
maintenance of an information security policy across the
organization. |
|
| The Security Policy is intended to define what is expected of an
organization with respect to Information Security. The overall objective is to
control or guide human behavior in an attempt to reduce the risk to information assets by
accidental or deliberate actions. This policy - as well as all policies,
standards, and guidelines in this web site - is designed to help you
understand the company's expectations for access to and use of information
assets owned, operated, or provided by the company.
|
| As-of-date:
24 April 2008
|
isp000-01
Scope
This policy applies to all company operating units and entities
with direct, indirect, or implied access to information assets owned by or entrusted to
the company.
|
isp000-10
Responsibility
isp000-11 Business Unit Manager
- The identification and protection of information assets within their sphere of
influence
- Insure employee awareness of this policy and supporting procedures, guidelines,
and standards
- Review and reinforce compliance with established security controls
isp000-12
Information Security Manager
- Oversee the protection of company assets
- Develop and implement security policies and standards
- Serve as consultant and assist management in all matters relating to information
security for the protection of company assets
- Ensure that system, network, and application security requirements are in
compliance with this policy
Note: In the absence of an Information Security Professional, some of
these duties should be divided between systems, operations, and business management.
|
isp000-20
Requirements
All employees are responsible for becoming familiar and compliant
with this policy and related standards, guidelines, and procedures. Additionally,
internal audit personnel are responsible for reporting any known or observed deficiencies
in this policy's control mechanisms. Such deficiencies must be documented and
reported to the cognizant supervisor, manager, or other officer of the company for
improvement.
isp000-30
POLICY/STANDARD
Information Assets are vital company resources that require
protection commensurate with their value. Mechanisms shall be in
place to protect these assets from accidental or deliberate modification, destruction,
unauthorized disclosure, or other malfeasance to ensure confidentiality, integrity, and
availability.
|
ISO
17799 Section 5.1.1 Information security policy document
A policy document should be approved by management, published
and communicated, as appropriate, to all employees. It should state
management commitment and set out the organization’s approach to
managing information security. This
policy should be communicated throughout the organization to users
in a form that is relevant, accessible and understandable to the
intended reader.
|
|
isp000-40
Compliance
This policy - and all pertinent standards, guidelines, and
procedures that reinforce this policy - shall serve as criteria to be employed
by
management for compliance review processes.
|
ISO
17799 Section 5.1.2 Review and evaluation
The policy should have an
owner who is responsible for its maintenance and review according to
a de fined review process. That process should ensure that a review
takes place in response to any changes affecting the basis of the
original risk assessment, e.g. significant security incidents, new
vulnerabilities or changes to the organizational or technical
infrastructure. There should also be scheduled, periodic
reviews of the following:
a)
the policy’s effectiveness, demonstrated by the nature, number and
impact of recorded security incidents;
b) cost and impact of controls on business efficiency;
c) effects of changes to technology. |
|
isp000-50
Enforcement
A breach of standards, procedures, and/or guidelines established in
support of this policy shall be directed to the appropriate manager for action that could
result in employee termination and/or legal action.
|
| isp000-60
Special Conditions
or Exceptions |
isp000-70
Additional
Statements or Comments
Note: The
terms asset, resource, system, application, and network used in this
policy should be broadly interpreted. Systems and assets may include
computers, networks, software, peripherals, and applications. At a
minimum, the Information Security Policies (ISP) in this product meet the
following ISO 17799 Standards: |
|
ISO
17799 Applicable
Security Controls (ISO 2005)
15.1.4 Data
protection and privacy of personal information
15.1.3 Protection of organizational records
15.1.2 Intellectual property rights
5.1 Information security policy document
6.1.3 Allocation of information security responsibilities
8.2.2 Information security awareness, education, and training
13.1.1 Reporting security incidents
14.1 Information Security Aspect of Business Continuity Management
|