Question

Using the framework presented in this chapter, draft a sample issue-specific security policy for an organization. At the beginning of your document, describe the organization for which you are creating the policy and then complete the policy using the framework.

Answer 1

York university

Issue-Specific Security Policy (ISSP)

A sound issue-specific security policy provides detailed, targeted guidance to instruct all members of the organization in the use of technology-based systems. The ISSP should begin with an introduction of the fundamental technological philosophy of the organization. It should assure the members of the organization that the purpose of the policy is not to provide a legal foundation for persecution or prosecution, but to provide a common understanding of the purposes for which an employee can and cannot use the technology. Once this understanding is established, employees are free to use the technology without seeking approval for each type of use. This serves to protect both the employee and the organization from inefficiency and ambiguity. According to Whitman et al., (1999) an effective ISSP:
• Articulates the organization’s expectations about how the technology-based system in question should be used
• Documents how the technology-based system is controlled and identifies the processes and authorities that provide this control
• Serves to indemnify the organization against liability for an employee’s inappropriate or illegal system use
An effective ISSP is a binding agreement between parties (the organization and its members) and shows that the organization has made a good faith effort to ensure that its technology is not used in an inappropriate manner. An ISSP may be drafted to cover many topics, including e-mail, use of the Internet and World Wide Web, office computing equipment, and a host of other fair and responsible use areas. The specific situation of any particular organization dictates the exact wording of the security procedures as well as issues not covered within these general guidelines. There are seven major sections of a good ISSP (Whitman, 2003). These are described here in detail.
1. Statement of Purpose - a clear statement of purpose that outlines the scope and applicability of the policy, addressing the purpose of this policy, who is responsible and accountable for policy implementation and what technologies and issues the policy document addresses.
2. Authorize Access and Usage of Equipment - who can use the technology governed by the policy, and for what purposes. This section defines “fair and responsible use” of equipment and other organizational assets, as well as addressing key legal issues,such as protection of personal information and privacy.
3. Prohibited Usage of Equipment - what the issue or technology cannot be used for, that is, personal use, disruptive use or misuse, criminal use, offensive or harassing materials, and infringement of copyrighted, licensed, or other intellectual property. Unless a particular use is clearly prohibited, the organization cannot penalize employees for such usage.
4. Systems Management - the users’ relationships to systems management, including systems maintenance and storage authorization and restriction. The Systems Management section should specify users’ and systems administrators’ responsibilities.
5. Violations of Policy - the penalties and repercussions of violating the usage and systems management policies, as well as instructions on how to report observed or suspected violations, either openly or anonymously.
6. Policy Review and Modification - procedures and a timetable for periodic review. This section should contain a specific methodology for the review and modification of the ISSP, to ensure that users always have guidelines that reflect the organization’s current technologies and needs.
7. Limitations of Liability - a general statement of liability or set of disclaimers. If an individual employee is caught conducting illegal activities with organizational equipment or assets, management does not want the organization held liable. Therefore, if employees violate a company policy or any law using company technologies, the company will not protect them, and is not liable for their actions, assuming that the violation is not known or sanctioned by management.