Close Panel

30

Apr

2009

Building and Deploying Effective Security Policies

By IPSECS Admin. Posted in Management | Comments Off

Defining Effective Security Policies

First, we must define what we mean when we say policies are “effective.” One way to build this definition is by looking at the ways organizations feel their policies are not effective. For this discussion, we use the following criteria:
1. Effective policies adequately define the high-level security goals of the company to reduce operational risk.
2. Effective policies adequately protect an organization against legal action for possible violations.
3. Effective policies are read and understood by all employees and contractors in various roles within the organization.

security policy

Criteria #1 is based on the need for policies to be complete. An organization’s policies must adequately cover the topics of an effective security program, including compliance with regulations.

Criteria #2 reflects the organization’s fear of damaging lawsuits, including possible violation of legislation. In fact, these fears are justified. Recent court cases are establishing precedents that would in fact hold most organizations liable.

Criteria #3 reflects most organizations highest concern when it comes to security. In fact, these three criteria are intricately related, and it is virtually impossible to adequately satisfy one without the other two.

Read more »

 

30

Apr

2009

Introduction to ISO/IEC 27002

By IPSECS Admin. Posted in Management | Comments Off

ISO/IEC 27002 part of a growing family of ISO/IEC ISMS standards, the ‘ISO/IEC 27000 series’ is an information security standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) as ISO/IEC 17799:2005 and subsequently renumbered ISO/IEC 27002:2005 in July 2007, bringing it into line with the other ISO/IEC 27000-series standards. It is entitled Information technology – Security techniques – Code of practice for information security management. The current standard is a revision of the version first published by ISO/IEC in 2000, which was a word-for-word copy of the British Standard (BS) 7799-1:1999.

ISO 27002 introduction

ISO/IEC 27002 provides best practice recommendations on information security management for use by those who are responsible for initiating, implementing or maintaining Information Security Management Systems (ISMS). Information security is defined within the standard in the context of the C-I-A triad:

Read more »