"The success of an information resources protection program depends on the policy generated, and on the attitude of management toward securing information on automated systems. You, the policy maker, set the tone and the emphasis on how important a role information security will have within your agency. Your primary responsibility is to set the information resource security policy for the organization with the objectives of reduced risk, compliance with laws and regulations and assurance of operational continuity, information integrity, and confidentiality" (Special Publication SP 500-169, Executive Guide to the Protection of Information Resources)
What are information security policies and how do they support this goal?
- Policy - High level approach and definition of the information security approach that will be taken high senior management.
- Standards - The steps that must be followed to support the policy.
- Guidelines - Recommended steps to follow to support the standards and policy.
- Procedures - The step by step, standard work to be used to carry out policy. Incorporating best practice and required controls.
No comments:
Post a Comment