Thursday, September 25, 2014

Information Security Policy

Access Control Lists

Include the user access lists, matrices, and capability tables that govern the rights and privileges of users. ACLs can control access to file storage systems, object brokers, or other network communications devices. A capability table specifies which subjects and objects that users or groups can access.
ACLs enable administrators to restrict access according the users, computer, time, duration, or even a particular file.
ACL’s regulate
·         Who can use the system
·         What authorized users can access
·         When authorized user can access the system
·         Where authorized users can access the system from
·         How authorized users can access system.
Accessing files and applications can be restricted with four types of privileges.
·         Read
·         Write
·         Execute
·         Delete

Configuration Rules

Configuration rules are instructional codes that guide the execution of the system when information is passing through it. Rule-based policies are more specific to the operation of a system than ACLs are, and they may or may not deal with users directly.
Guidelines for Effective Policy
An effective approach has six stages: development, distribution, review, comprehension, compliance, and uniform enforcement.
·         Developed using industry-accepted practices
·         Distributed using all appropriate methods
·         Read by all employees
·         Understood by all employees
·         Formally agreed to by act or affirmation
·         Uniformly applied an enforced.

Policy Compliance

Policy compliance means the employee must agree to the policy. According to Whitman, Policies must be agreed to by act r affirmation. Agreement by act occurs when the employee performs an action, which requires them to acknowledge understanding of the policy, prior to use of a technology or organizational resource.

Policy Enforcement

The final component of the design and implementation of effective policies is uniform and impartial enforcement. As in law enforcement, policy enforcement must be able to withstand external scrutiny.

Reference: Management of Information Security by Whitman and Mattord

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)