Question

List and describe the three types of InfoSec Policies:

In what way are policies different from procedures?

please explain in detail. And do not copy.

Answer 1

* Enterprise information security policy (EISP): It defines attitude, possibility, planned and strategic direction, tone, the scope for an organization, and all the security areas and oriented topics within a company or an organization. It directly reflects the tasks and goals of a company or an organization.

* Issue-specific security policy (ISSP): It is used as a guide to all the employees or members of a company or an organization on the new technologies such as e-mail, Internet, Virtual Private Network (VPN), etc., how they are and should be used, related issues, attacks, cases, etc. It enables the employees to learn and understand the policy and at the same time aids them in how to uphold the organization's ethical codes.

* System-specific security policy (SysSP): It focuses and defines specific types of systems. For example firewalls, Virtual Private Network (VPN), mobile devices, etc. It provides the employees with the guidelines for how the systems to be implemented and uphold and manages the systems' configuration, usage, and maintenance standards.

How policies are different from procedures:

* Policies:
They define the "Why" for Information Security (InfoSec). They act as anchors for data security. They are statements written, produced, and supported formally by senior management. They are either specific to systems, specific to issues, or company- or organization-wide. An organization's or a company's policies reflect their objectives for their InfoSec program, which include protecting information, management of risks, the security of the infrastructure. Policies are logically a building foundation, in a manner. They resist changes or erosion and are built to last, longer. Intended readers, employees, and users can understand and access them, easily. They are created so they are intact for many years and for any business requirements, they would be regularly reviewed and changes would be made based on necessary approvals. Business objectives actually drive them. It conveys how much risk senior management is willing to take.

* Procedures:
They define the "How" for InfoSec. They are step-by-step instructions written in detail for achieving given mandates or goals. They are meant for internal departments within a company or an organization. Procedures are required for adhering to stringent change control processes. They are developed on the fly, dynamically. Procedures being developed should be documented consistently and comprehensively. They are called "cookbook" for employees, staff, or users to follow to achieve a task or a repeatable process. They are written in detail, sufficiently. They are not written and documented such that only a single person or a small team, department, or group understands, but is created for all. Some of the examples of procedures are Operating Systems (OSs) installations, carrying out system backup activities, granting employees or users system's access rights, provisioning, creating, adding, and setting up of new user accounts for, say, new employees who just joined the company, etc.