Question

Define, discuss and develop information security policy with all its elements.

Answer 1

Information Security Policy:
It is a set of policy issued by organization that all users within the domain of organization stored digitally at any point in the network
Information security is like arms race. Organizations will change and grow over a period of time; hence they should have room for required version updates. The policy needs to be revised at fixed intervals, and all the revision need to be approved and documented by te unauthorized person.
The information security policy has
a. It should be practical and enforceable.
b. It should have a room for revision and updates.

Elements:
1. Audience:The scope of the audience to whom the information security policy applies should be mentioned clearly, it should define what is considered as out of scope.
They define the audience to whom the information security applies.
E.g. staff in anoter business unit which manages security separetly may not be in the scope of policy
2. Asset
How asset will be categorized, how assets re-evaluated and what are the details responsibility of a security team, IT team, Users? The solution is special care should be taken to what has to be covered here and what is in the asset management part of the policy.
Asset management basically the IT part of the asset. It will cover the lifecycle of how the asset will be taken onboard, installed, maintained, managed and retired.
3.Data classification:
policy classify data into categories which may include topscreat secret confidential and public.
By using this to protect data and avoid needless security for unimportant data.
4.Objectives
Information security classify 3 objectives
a. Confidentiality : information authorized to access and not to disclosed others.
b. Integrity : keep data intact and accurate.
c. Availability: information is disposal of authorized users when needed.
5.Security Behavior:
Share Security with your staff. Construct training session to inform employees of security procedures and mechanism including data protection measures, access protection measures and sensittive data.
6.Authority:
The manager have the authority to decide what data can be shared and with whom. The policy should outline the level of authority over the data and IT systesm for each organization