Analysis and determination of data sensitivity and relation to encryption level requirements ·

The ISSP should include the definition and effective communication of the full range of
program-level and issue-specific security policies and procedures. Each ISSP
component should have an associated security policy and procedure.
Policies must be clear, concise, non-conflicting, acknowledged (for accountability),
measurable (to ensure enforceability), and non-compliance consequences explicitly
outlined. Corporate policies need to be consolidated in a logical collection and
communicated to new employees or non-employees accessing corporate resources via
the SATP. They should be reviewed to ensure validity and updated when audits,
© SANS Institute 2002, Author retains full rights.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2002, As part of the Information Security Reading Room. Author retains full rights.
13
procedures, or other circumstances dictate. The entire ISSP suffers when policies are
ineffective.
Procedures standardize the ISSP, ensuring equitable application of the policies. When
implementing procedures without associated policies, problems ensue with
accountability, developing or utilizing automated evaluation tools, and aggregating
results of the analysis, and understanding, interpretation and enforcement of the
policies.
Security Awareness Training Program (SATP):
The ISSP should contain a robust SATP customized to addresses the unique security
responsibilities for a diverse group of individuals. Key groups include: basic end users
(typically COTS training can address this group), developers, managers (with special
attention for the ISSP Manager, CIO and CEO), system owners, network and system
administrators and non-employees. The SATP should contain components covering:
security policies and procedures; an overview of the telecommunications infrastructure
so the individual understands their place in the overall corporate structure and that a
risk assumed by one is assumed by all; application-specific security requirements;
infowar concept; email considerations; social engineering concerns; an overview of
viruses, scams, hoaxes, spamming and spoofing; and physical security matters.
The SATP needs to be included as an integral part of employee and non-employee
orientation. It must be tracked, acknowledged in writing, and a prerequisite for USERID
or application access. Finally, each component of the SATP should be included in the
audit schedule and lessons learned recycled.

find the cost of your paper

Strawberries

Enhancing one’s professional effectiveness by staying current with ethical principles and decisions from relevant sources including professional organizations;

Principle I:  Responsibility to the Profession The  professional educator  is aware that trust in the profession depends upon a level of professional conduct and responsibility that may be higher than required by law.  This entails….

Responsibility for Professional Competence

Principle I:  Responsibility to the Profession The  professional educator  is aware that trust in the profession depends upon a level of professional conduct and responsibility that may be higher than required by law.  This entails….

dvocating for adequate resources and facilities to ensure equitable opportunities

Principle I:  Responsibility to the Profession The  professional educator  is aware that trust in the profession depends upon a level of professional conduct and responsibility that may be higher than required by law.  This entails….