In: Computer Science
Using the framework presented in this chapter, draft a sample issue-specific security policy for an organization. At the beginning of your document, describe the organization for which you are creating the policy and then complete the policy using the framework.
York university
Issue-Specific Security Policy (ISSP)
A sound issue-specific security policy provides
detailed, targeted guidance to instruct all members of the
organization in the use of technology-based systems. The ISSP
should begin with an introduction of the fundamental technological
philosophy of the organization. It should assure the members of the
organization that the purpose of the policy is not to provide a
legal foundation for persecution or prosecution, but to provide a
common understanding of the purposes for which an employee can and
cannot use the technology. Once this understanding is established,
employees are free to use the technology without seeking approval
for each type of use. This serves to protect both the employee and
the organization from inefficiency and ambiguity. According to
Whitman et al., (1999) an effective ISSP:
• Articulates the organization’s expectations about how the
technology-based system in question should be used
• Documents how the technology-based system is controlled and
identifies the processes and authorities that provide this
control
• Serves to indemnify the organization against liability for an
employee’s inappropriate or illegal system use
An effective ISSP is a binding agreement between
parties (the organization and its members) and shows that
the organization has made a good faith effort to ensure that its
technology is not used in an inappropriate manner. An ISSP may be
drafted to cover many topics, including e-mail, use of the Internet
and World Wide Web, office computing equipment, and a host of other
fair and responsible use areas. The specific situation of any
particular organization dictates the exact wording of the security
procedures as well as issues not covered within these general
guidelines. There are seven major sections of a good ISSP (Whitman,
2003). These are described here in detail.
1. Statement of Purpose - a clear statement of
purpose that outlines the scope and applicability of the policy,
addressing the purpose of this policy, who is responsible and
accountable for policy implementation and what technologies and
issues the policy document addresses.
2. Authorize Access and Usage of Equipment - who
can use the technology governed by the policy, and for what
purposes. This section defines “fair and responsible use” of
equipment and other organizational assets, as well as addressing
key legal issues,such as protection of personal information and
privacy.
3. Prohibited Usage of Equipment - what the issue
or technology cannot be used for, that is, personal use, disruptive
use or misuse, criminal use, offensive or harassing materials, and
infringement of copyrighted, licensed, or other intellectual
property. Unless a particular use is clearly prohibited, the
organization cannot penalize employees for such usage.
4. Systems Management - the users’ relationships
to systems management, including systems maintenance and storage
authorization and restriction. The Systems Management section
should specify users’ and systems administrators’
responsibilities.
5. Violations of Policy - the penalties and
repercussions of violating the usage and systems management
policies, as well as instructions on how to report observed or
suspected violations, either openly or anonymously.
6. Policy Review and Modification - procedures and
a timetable for periodic review. This section should contain a
specific methodology for the review and modification of the ISSP,
to ensure that users always have guidelines that reflect the
organization’s current technologies and needs.
7. Limitations of Liability - a general statement
of liability or set of disclaimers. If an individual employee is
caught conducting illegal activities with organizational equipment
or assets, management does not want the organization held liable.
Therefore, if employees violate a company policy or any law using
company technologies, the company will not protect them, and is not
liable for their actions, assuming that the violation is not known
or sanctioned by management.