1. What is information security policy?

Why it is critical to the success

of the information security program?
A set of guidelines and processes that upholds the security of data within an
organization is known as an information security policy, sometimes referred to as a
cybersecurity policy or data security policy. The goal of a business' information security
policy is frequently to ensure that users and networks adhere to the minimum standards
for data protection security and information technology security.
An information security policy offers precise instructions on what to do in the event of a
security breach or other emergency. Strong policies define practices and
recommendations to help businesses protect against threats to the accessibility,
confidentiality, and integrity of data. As a result, the success of the information security
program depends on the information security policies.
2. Of the controls or countermeasures used to control information security
risk, which is viewed as the least expensive? What are the primary costs of
this type of control?
Even though practically every control or countermeasure employed to reduce
information security risks is crucial. The least expensive option in terms of cost is policy
control. Policies are thought to be the least expensive of them all, despite the fact that
they are challenging to implement. A well-structured strategy can be established
theoretically without spending any money; all that is required is time and effort. So, the
main expense of constructing policies might be that.
3. List and describe the three challenges in shaping policy.
The three challenges in shaping a policy are:
• The policy needs to be created using standards recognized by the industry and
explicitly authorized by management.
• Uniformly applied and enforced.
• Formally agreed to by the act or affirmation.

Developed using industry accepted practices: A policy must be developed in

accordance with well-known or widely accepted practices. While it's excellent to
occasionally venture outside the box and develop your own policy based on your own
practices, it's generally better to stick with the standards set by the industry while making
a few adjustments.
 Uniformly applied and enforced: Making a policy is one thing, but putting it into
practice or enforcing it is another. Once a policy has been developed or moulded, it must
be put into practice so that everyone in the organization abides by it or is required to do
so. No of one's status or position within the business, policies must stay the same for
everyone.

Formally agreed to be the act or affirmation: As previously said, there are numerous
factors to take into account while forming a policy. The formal agreement resulting from
the act is one of the most significant of them. The act or affirmation must be followed by
a policy that doesn't break the law or have an unanticipated effect on other areas of
concern.

4. Describe the bull’s-eye model. What does it say about the policy in the
information security program?
The bull's-eye model is a systematic method that begins with policy and moves on to
more specialized information security issues. It provides a tried-and-true mechanism for
prioritizing difficult alterations, and information security professionals now often employ
it. Policies, Networks, Systems, and Applications make up its four layers.
The bull's-eye model's outermost layer is made up of policies. The bull's-eye model
defines policies as the plan or course of action used by a government, political party, or
company to direct and influence decisions, actions, and other matters.
5. Are policies different from standards? In what way?
Standards are more like a description of what must be done to implement a
policy, whereas policies are the rules or regulations. They collaborate closely. To
put it another way, standards act as instructions for carrying out the stated goals
of policies, whereas policies act as statements of intent. These therefore are the
distinctions between policies and standards.
6. Are policies different from procedures? In what way?
Policies are the plans or courses of action that one must adhere to, whereas procedures
are the instructions on how to do so. They cooperate with one another. Once a policy
has been developed, it must be regulated by following the right procedures. These
therefore are the distinctions between policies and processes.
7. For a policy to have any effect, what must happen after it is approved by
the management? What are some ways to accomplish this?
Information security is built on policies. An organization bases each decision on its
policy. Therefore, developing and implementing a policy is crucial. All members or
workers of the organization must be required to read, comprehend, and agree to abide
by the policy for it to be effective. Additionally, policies must be widely disseminated and
accessible to be effective. Creating policies that are significant to the organization,
educating the members about the importance of policies, and adhering to legal
requirements while developing a policy are some approaches to do this. These are a few
methods for achieving effective policy.
8. Is policy considered static or dynamic? What factors might determine this
status?
For a company, policies are crucial. Depending on the circumstance and the context of
the policy, they may be static or dynamic. Policies must have rigid regulations and
requirements that cannot be altered or disregarded for the benefit of one employee over
another. In conclusion, a policy can therefore be both static and dynamic. Its status is
determined by variables such as the type of policy, organizational circumstances, and
information security expertise.
9. List and describe the three types of information security policy as
described by NIST SP 800-14.
The three types of information security policies as described by NIST SP 800-14 are
listed and described below:
• Enterprise information security program policy (EISP)
• Issue-specific information security policy (ISSP)
• Systems-specific information security policies (SySSP)

EISP: This information security policy aids in establishing well-thought-out methods or

directions, the range of the resources, and the tone for all of the organization's security
management efforts. Additionally, it allocates duties to the many aspects of information
security, such as upholding other information security policies and end user behavior
and duties.

ISSP: This information security policy is designed to control the use of technologies in
the organization or other issues regarding the resources in an organization. This type of
 policies must begin with a brief introduction to the philosophy of fundamental technology
in an organization. This type of policy also helps to protect both the employees and the
organizations from lack of efficiency as well.

SysSP: Although they are not as popular as the ones mentioned above, it is important
as well. It is created to act as procedures or standards that are used when a system is
configured or maintained. They can also be separated into two groups like managerial
guidance and technical specifications.

10. For what purpose is enterprise information security program policy

designed?
To reduce the danger of a cyber threat, the enterprise information security program
policy establishes guidelines for how to access resources such as data, networks, and
other resources. Its main goal is to protect the other resources and information assets
from a potential online threat.
11. For what purpose is an issue-specific security policy designed?
An organization creates issue-specific policies, or ISSPs, to define the rules that govern
how its employees use the technologies the company has invested in. It also aids in
providing specific instructions for directing select staff so that assets crucial to a
business are used properly.
12. For what purpose is a system-specific security program policy (SysSP)
designed?
System-specific security policies, often known as SysSP, are created to assist in the
setting of an organization's technology. Additionally, they offer advice on how to apply
that technology so that the organization gains from it. Additionally, it does not obstruct
other processes.
13. List and describe the four elements that should be present in the EISP.
The four elements that should be present in the EISP are listed and described below:
• Statement of purpose: This element answers what the policy weas made for. It
also provides a basic framework such that the reader finds it easy to understand
the intent of the document.
• Need for information Technology Security: This helps provide information on
the information of info sec in the organization. Also, obligated to protect the
critical information’s whether be it customers, employees or markets.
 • Information Technology Security Responsibilities and Roles: This helps
define the organizational structure that is designed to support various information
security within the organization.
14. List and describe three purposes that the ISSP servers in the organization.
The three purposes that the ISSP servers in the organization are listed and described
below:
• Addresses specific technology-based resources.
• Requiring frequent updates.
• Containing an issue that explains the organizations position on issue.

The ISSP's main job is to deal with technological resources. A few examples of this
include using e-mail, instant messaging, electronic communications, the internet,
installing and using non-organizationally issued software or hardware, using a work-
owned computer at home, using a personal device on a work network, using
telecommunications technologies (fax, phone, mobile phone), or using photocopying and
scanning equipment. The second reason for the ISSP is that it requires frequent
updates. This suggests that as machinery and technology advance, the ISSP will require
adjustments. The ISSP may also need to be changed if the job functions of the
organization's members change. Changes may need to be made to the rule prohibiting
taking computer work home if they start to allow teleworking. The ISSP should serve as
a flexible manual.

A position statement on each issue that the organization backs should be included in the
ISSP as well. The company's potential liabilities are lessened as a result. A general
statement or a list of disclaimers that suggest the company won't be held accountable for
any employees who are found utilizing company property or equipment for illegal
activities generally appear in this section. The corporation will not defend its employees
and will not be held liable for their actions if they utilize company-owned technology to
violate a rule or the law. This naturally believes that the company's management
disapproved of the infraction.
15. What should be the first component of an ISSP when it is presented? Why?
What should be the second major heading, in your opinion? Why?
A Statement of Purpose should, in my opinion, be the first element of an ISSP when it is
given. This is so that the statement of purpose can clarify who is accountable for the
policy, as well as what kind of technology is being used.
According to me, the second heading should be "approved access and usage of
equipment" because it deals with user access, fair and responsible user behavior, and
privacy protection—all of which are crucial after a policy has been put in place.
Therefore, the second major category must be "approved access and use of equipment."
16. List and describe three common ways in which ISSP documents are
created and/or managed.
The common ways to create an ISSP documents are listed below:
➢ Creating several different independent ISSP documents, that are each made to
comply specific issues.
➢ Creating a single brief ISSP document that covers all the issues that the
organization is facing o the current.
➢ Creating a ISSP document that helps unifies the creation of policy and
administration.
17. List and describe the two general groups of material included in most
SysSP documents.
The two general groups of material include in most SysSP documents are listed below:
Managerial guidance: Managerial guidance helps guide the implementation and
configuration of the technology and addressing the behavior to help secure the
information.
Technical specifications: An example of a systems-specific security policy that
contains technical information regarding the purchase, application, configuration, and
management of a specific technology.