Policy Review and Modification Overview: You are the Information Security Office
ID: 3854166 • Letter: P
Question
Policy Review and Modification
Overview:
You are the Information Security Officer of Mahtmarg Manufacturing a small manufacturing company worth approximately $5 Million who provides fiber cable to local businesses, individual customers and to government organizations. In the course of the next eight weeks you will be creating your Information Security Plan (Issue-Specific Security Policy in Table 4-3 of the textbook) step by step using this scenario.
Your Task
Step 6: Develop the Policy Review and Modification section of your ISP
In this week’s Lab you will develop the review and modification policy portion of your ISP to ensure it is a ‘living document’. This must include:
At least an annual review
Identification of who is responsible for making updates and revisions
Detail concerning where these updates are published and how employees can access them
Remember that every company is in a constant state of change and your network infrastructure is constantly evolving. The risks that you face today are not the risks that you will encounter next year nor are they the same as those you have encountered in years past. It is crucial that you routinely review and update the company’s information security plan as threats change as well as the company.
Explanation / Answer
TO DEVELOP THE ISP: isp meanes information security policies.A strong security position is maintained through the application of security controls, data ownership responsibilities, and maintenance of the security infrastructure. this policy artculates requierements that assist management in defining a framework that establishes a secure environment. this framework proviedes the overarching structure for safeguarding Information Technology (IT) Resources, achieving confidentiality, integrity and availability of the data and Resources used to manage the services provided by commonwealth agencies, authorities, and business patners.
It is the responsibility of Agency Heads to have controls place and in effect the provide reasonableassurance that security objectives are addressed. the Agency Head has responsibility to exercise due diligence in the adoption of this framework. Agencies must achieve compliance with the overall information security goalsof the commonwealth including compliance with laws,regulations, policies and standards to which their technology resources and data, including but not limited to personal information,are subject.
POLICY STATEMENT:
Agencies are required to implements policies, associated procedures and controls thatprotect the agency's information assets, including but not limited to personal information and IT Resources from all threats, whether internal or external, deliberate or accidental. inaddition to the three guiding principles of information security (confidentiality, integrity and availability), agencies must review the overall implementation of security controls against all applicable laws, regulations,policies,standards and associated risks.
information security management program: Agencies are required to implement an information security program(isp). An ISP is a management system that represents the policies and controls implemented within an organization. An effective management system provides both manegement and users with a detailed understanding of the goals, approch and implemented control for securing the organization's information assets, including but not limited to sensitive information(for example, personal information), and must address the ISP lifecycle; including risk assessment, risk treatment, selection and implementation of security controls, ongoing evaluation and maintenance.
Organization of information security: Agencies are requried to maintain the securityof the organization's information and information processing facilities that are accessed,communicated to, or managed by employees and contractors(staff), and thrid parties by:
* Documenting the specfic responsibilities ofstaff and thrid parties and
* Ensuring that all applicable contractual agreements incorporate and support the security-based requirements.
ASSET MANAGEMENT: Agencies are required to achieve and maintain appropriate protection of information asserts,including but not limited to personal information and IT Resources by assigning the responsibility to implement controls for achieving:
* inventory of IT- related assets,
* Data classification,
*Appropriate tagging and data handling per classification and
*Acceptable use via implementation and enforcement of an Acceptable use policy.