Chapter 46 – |
Developing Security Policies |
M. E. Kabay, PhD, CISSP
Chapter Contents:
|
46.1 |
|
Introduction
|
|
46.2 |
|
Collaborating in Building Security Policies
|
|
46.3 |
|
Phase 1: Preliminary Evaluation
|
|
46.3.1 |
|
Introduction to the Study
|
|
46.3.2 |
|
State of Current Policy
|
|
46.3.3 |
|
Data Classification
|
|
46.3.4 |
|
Sensitive Systems
|
|
46.3.5 |
|
Critical Systems
|
|
46.3.6 |
|
Authenticity
|
|
46.3.7 |
|
Exposure
|
|
46.3.8 |
|
Human Resources, Management, and Employee Security Awareness
|
|
46.3.9 |
|
Physical Security
|
|
46.3.10 |
|
Software Development Security
|
|
46.3.11 |
|
Computer Operations Security
|
|
46.3.12 |
|
Data Access Controls
|
|
46.3.13 |
|
Network and Communications Security
|
|
46.3.14 |
|
Antimalware Measures
|
|
46.3.15 |
|
Backups, Archives, and Data Destruction
|
|
46.3.16 |
|
Business Resumption Planning and Disaster Recovery
|
|
46.4 |
|
Phase 2: Management Sensitization
|
|
46.5 |
|
Phase 3: Needs Analysis
|
|
46.6 |
|
Phase 4: Policies and Procedures
|
|
46.7 |
|
Phase 5: Implementation
|
|
46.7.1 |
|
Upper Management
|
|
46.7.2 |
|
Technical Support
|
|
46.7.3 |
|
Lower-level Staff
|
|
46.7.4 |
|
Other Technical Staff
|
|
46.8 |
|
Phase 6: Maintenance
|
|
46.10 |
|
Conclusion
|
|
46.11 |
|
Notes
|
|
|
|