Dipesh Bhatta
Dipesh Bhatta
Formally agreed to be the act or affirmation: As previously said, there are numerous
factors to take into account while forming a policy. The formal agreement resulting from
the act is one of the most significant of them. The act or affirmation must be followed by
a policy that doesn't break the law or have an unanticipated effect on other areas of
concern.
4. Describe the bull’s-eye model. What does it say about the policy in the
information security program?
The bull's-eye model is a systematic method that begins with policy and moves on to
more specialized information security issues. It provides a tried-and-true mechanism for
prioritizing difficult alterations, and information security professionals now often employ
it. Policies, Networks, Systems, and Applications make up its four layers.
The bull's-eye model's outermost layer is made up of policies. The bull's-eye model
defines policies as the plan or course of action used by a government, political party, or
company to direct and influence decisions, actions, and other matters.
5. Are policies different from standards? In what way?
Standards are more like a description of what must be done to implement a
policy, whereas policies are the rules or regulations. They collaborate closely. To
put it another way, standards act as instructions for carrying out the stated goals
of policies, whereas policies act as statements of intent. These therefore are the
distinctions between policies and standards.
6. Are policies different from procedures? In what way?
Policies are the plans or courses of action that one must adhere to, whereas procedures
are the instructions on how to do so. They cooperate with one another. Once a policy
has been developed, it must be regulated by following the right procedures. These
therefore are the distinctions between policies and processes.
7. For a policy to have any effect, what must happen after it is approved by
the management? What are some ways to accomplish this?
Information security is built on policies. An organization bases each decision on its
policy. Therefore, developing and implementing a policy is crucial. All members or
workers of the organization must be required to read, comprehend, and agree to abide
by the policy for it to be effective. Additionally, policies must be widely disseminated and
accessible to be effective. Creating policies that are significant to the organization,
educating the members about the importance of policies, and adhering to legal
requirements while developing a policy are some approaches to do this. These are a few
methods for achieving effective policy.
8. Is policy considered static or dynamic? What factors might determine this
status?
For a company, policies are crucial. Depending on the circumstance and the context of
the policy, they may be static or dynamic. Policies must have rigid regulations and
requirements that cannot be altered or disregarded for the benefit of one employee over
another. In conclusion, a policy can therefore be both static and dynamic. Its status is
determined by variables such as the type of policy, organizational circumstances, and
information security expertise.
9. List and describe the three types of information security policy as
described by NIST SP 800-14.
The three types of information security policies as described by NIST SP 800-14 are
listed and described below:
• Enterprise information security program policy (EISP)
• Issue-specific information security policy (ISSP)
• Systems-specific information security policies (SySSP)
ISSP: This information security policy is designed to control the use of technologies in
the organization or other issues regarding the resources in an organization. This type of
policies must begin with a brief introduction to the philosophy of fundamental technology
in an organization. This type of policy also helps to protect both the employees and the
organizations from lack of efficiency as well.
SysSP: Although they are not as popular as the ones mentioned above, it is important
as well. It is created to act as procedures or standards that are used when a system is
configured or maintained. They can also be separated into two groups like managerial
guidance and technical specifications.
The ISSP's main job is to deal with technological resources. A few examples of this
include using e-mail, instant messaging, electronic communications, the internet,
installing and using non-organizationally issued software or hardware, using a work-
owned computer at home, using a personal device on a work network, using
telecommunications technologies (fax, phone, mobile phone), or using photocopying and
scanning equipment. The second reason for the ISSP is that it requires frequent
updates. This suggests that as machinery and technology advance, the ISSP will require
adjustments. The ISSP may also need to be changed if the job functions of the
organization's members change. Changes may need to be made to the rule prohibiting
taking computer work home if they start to allow teleworking. The ISSP should serve as
a flexible manual.
A position statement on each issue that the organization backs should be included in the
ISSP as well. The company's potential liabilities are lessened as a result. A general
statement or a list of disclaimers that suggest the company won't be held accountable for
any employees who are found utilizing company property or equipment for illegal
activities generally appear in this section. The corporation will not defend its employees
and will not be held liable for their actions if they utilize company-owned technology to
violate a rule or the law. This naturally believes that the company's management
disapproved of the infraction.
15. What should be the first component of an ISSP when it is presented? Why?
What should be the second major heading, in your opinion? Why?
A Statement of Purpose should, in my opinion, be the first element of an ISSP when it is
given. This is so that the statement of purpose can clarify who is accountable for the
policy, as well as what kind of technology is being used.
According to me, the second heading should be "approved access and usage of
equipment" because it deals with user access, fair and responsible user behavior, and
privacy protection—all of which are crucial after a policy has been put in place.
Therefore, the second major category must be "approved access and use of equipment."
16. List and describe three common ways in which ISSP documents are
created and/or managed.
The common ways to create an ISSP documents are listed below:
➢ Creating several different independent ISSP documents, that are each made to
comply specific issues.
➢ Creating a single brief ISSP document that covers all the issues that the
organization is facing o the current.
➢ Creating a ISSP document that helps unifies the creation of policy and
administration.
17. List and describe the two general groups of material included in most
SysSP documents.
The two general groups of material include in most SysSP documents are listed below:
Managerial guidance: Managerial guidance helps guide the implementation and
configuration of the technology and addressing the behavior to help secure the
information.
Technical specifications: An example of a systems-specific security policy that
contains technical information regarding the purchase, application, configuration, and
management of a specific technology.