Question

In: Computer Science

Using the framework presented in this chapter, draft a sample issue-specific security policy for an organization.

Using the framework presented in this chapter, draft a sample issue-specific security policy for an organization. At the beginning of your document, describe the organization for which you are creating the policy and then complete the policy using the framework.

Solutions

Expert Solution

York university

Issue-Specific Security Policy (ISSP)

A sound issue-specific security policy provides detailed, targeted guidance to instruct all members of the organization in the use of technology-based systems. The ISSP should begin with an introduction of the fundamental technological philosophy of the organization. It should assure the members of the organization that the purpose of the policy is not to provide a legal foundation for persecution or prosecution, but to provide a common understanding of the purposes for which an employee can and cannot use the technology. Once this understanding is established, employees are free to use the technology without seeking approval for each type of use. This serves to protect both the employee and the organization from inefficiency and ambiguity. According to Whitman et al., (1999) an effective ISSP:
• Articulates the organization’s expectations about how the technology-based system in question should be used
• Documents how the technology-based system is controlled and identifies the processes and authorities that provide this control
• Serves to indemnify the organization against liability for an employee’s inappropriate or illegal system use
An effective ISSP is a binding agreement between parties (the organization and its members) and shows that the organization has made a good faith effort to ensure that its technology is not used in an inappropriate manner. An ISSP may be drafted to cover many topics, including e-mail, use of the Internet and World Wide Web, office computing equipment, and a host of other fair and responsible use areas. The specific situation of any particular organization dictates the exact wording of the security procedures as well as issues not covered within these general guidelines. There are seven major sections of a good ISSP (Whitman, 2003). These are described here in detail.
1. Statement of Purpose - a clear statement of purpose that outlines the scope and applicability of the policy, addressing the purpose of this policy, who is responsible and accountable for policy implementation and what technologies and issues the policy document addresses.
2. Authorize Access and Usage of Equipment - who can use the technology governed by the policy, and for what purposes. This section defines “fair and responsible use” of equipment and other organizational assets, as well as addressing key legal issues,such as protection of personal information and privacy.
3. Prohibited Usage of Equipment - what the issue or technology cannot be used for, that is, personal use, disruptive use or misuse, criminal use, offensive or harassing materials, and infringement of copyrighted, licensed, or other intellectual property. Unless a particular use is clearly prohibited, the organization cannot penalize employees for such usage.
4. Systems Management - the users’ relationships to systems management, including systems maintenance and storage authorization and restriction. The Systems Management section should specify users’ and systems administrators’ responsibilities.
5. Violations of Policy - the penalties and repercussions of violating the usage and systems management policies, as well as instructions on how to report observed or suspected violations, either openly or anonymously.
6. Policy Review and Modification - procedures and a timetable for periodic review. This section should contain a specific methodology for the review and modification of the ISSP, to ensure that users always have guidelines that reflect the organization’s current technologies and needs.
7. Limitations of Liability - a general statement of liability or set of disclaimers. If an individual employee is caught conducting illegal activities with organizational equipment or assets, management does not want the organization held liable. Therefore, if employees violate a company policy or any law using company technologies, the company will not protect them, and is not liable for their actions, assuming that the violation is not known or sanctioned by management.


Related Solutions

17. What is an issue-specific security policy?
17. What is an issue-specific security policy? 18. List the critical areas covered in an issue-specific security policy. 19. What is a systems-specific security policy? 20. When is a systems-specific security policy used?
An ISSP (issue-specific security policy) is "an organizational policy that provides detailed, targeted guidance to instruct...
An ISSP (issue-specific security policy) is "an organizational policy that provides detailed, targeted guidance to instruct all members of the organization in the use of a resource, such as one of its processes or technologies." Assignment is: Develop an ISSP policy that addresses the following: Use of Internet. All writing must include proper grammar, spelling, punctuation and citations. Please use proper grammar, spelling and punctuation. Cite references. write in your own words.
Using the model fast brain slow brain, , draft a sample theoretical foundation/conceptual framework for a...
Using the model fast brain slow brain, , draft a sample theoretical foundation/conceptual framework for a dissertation prospectus that is based in that model. You may use your own topic/prospectus if the model is applicable.
Write a physical security policy for any organization.
Write a physical security policy for any organization.
Q1(a). Select an organization and, using the SWOT Framework, perform an internal analysis on the organization....
Q1(a). Select an organization and, using the SWOT Framework, perform an internal analysis on the organization. Q1(b). Based on your internal organizational analysis, in which areas does the organization have a great competitive advantage? Why? Q1(c). Which areas can be classified as weak areas for the organization? How could the organization improve?
Establishing an effective Information Technology Security Policy Framework is critical in the development of a comprehensive...
Establishing an effective Information Technology Security Policy Framework is critical in the development of a comprehensive security program. Additionally, there are many security frameworks that organizations commonly reference when developing their security programs. Review the security frameworks provided by NIST (SP 800-53), ISO / IEC 27000 series, and COBIT. Assume that you have been hired as a consultant by a medium-sized insurance organization and have been asked to draft an IT Security Policy Framework. You may create and / or...
choose a specific issue or policy that has direct or indirect impact on the environment. The...
choose a specific issue or policy that has direct or indirect impact on the environment. The nature of the impact on the environment can be either positive or negative. You can also comparing two different policies or suggest a new policy to address environmental problems and analyze pros and cons of that particular policy. write a brief research paper (4-5 pages) You need to provide trustworthy references to support the data or information used in the paper.
Social issue/problem and historical background of the health care organization policy OR Hospital policy. 200 words.
Social issue/problem and historical background of the health care organization policy OR Hospital policy. 200 words.
Several categories of control activities are identified in the chapter using the following framework: A. Authorization...
Several categories of control activities are identified in the chapter using the following framework: A. Authorization B. Performance reviews C. Information-processing controls C1. IT general controls C2. IT application controls C3. IT-dependent manual controls D. Physical controls E. Segregation of duties Following are specific control procedures prescribed by Trusty Inc., a public company: The software application must match information from a vendor's invoices with information from receiving and information from the purchase order before a check is issued. Two authorized...
Using the conceptual framework presented by Amott and Mattaei for understanding differences in women’s economic position,...
Using the conceptual framework presented by Amott and Mattaei for understanding differences in women’s economic position, explain how gender, race-ethnicity, and class are interconnected.
ADVERTISEMENT
ADVERTISEMENT
ADVERTISEMENT