The ISSP should include the definition and effective communication of the full range of
program-level and issue-specific security policies and procedures. Each ISSP
component should have an associated security policy and procedure.
Policies must be clear, concise, non-conflicting, acknowledged (for accountability),
measurable (to ensure enforceability), and non-compliance consequences explicitly
outlined. Corporate policies need to be consolidated in a logical collection and
communicated to new employees or non-employees accessing corporate resources via
the SATP. They should be reviewed to ensure validity and updated when audits,
© SANS Institute 2002, Author retains full rights.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2002, As part of the Information Security Reading Room. Author retains full rights.
procedures, or other circumstances dictate. The entire ISSP suffers when policies are
Procedures standardize the ISSP, ensuring equitable application of the policies. When
implementing procedures without associated policies, problems ensue with
accountability, developing or utilizing automated evaluation tools, and aggregating
results of the analysis, and understanding, interpretation and enforcement of the
Security Awareness Training Program (SATP):
The ISSP should contain a robust SATP customized to addresses the unique security
responsibilities for a diverse group of individuals. Key groups include: basic end users
(typically COTS training can address this group), developers, managers (with special
attention for the ISSP Manager, CIO and CEO), system owners, network and system
administrators and non-employees. The SATP should contain components covering:
security policies and procedures; an overview of the telecommunications infrastructure
so the individual understands their place in the overall corporate structure and that a
risk assumed by one is assumed by all; application-specific security requirements;
infowar concept; email considerations; social engineering concerns; an overview of
viruses, scams, hoaxes, spamming and spoofing; and physical security matters.
The SATP needs to be included as an integral part of employee and non-employee
orientation. It must be tracked, acknowledged in writing, and a prerequisite for USERID
or application access. Finally, each component of the SATP should be included in the
audit schedule and lessons learned recycled.


Leave Comment

Your email address will not be published. Required fields are marked *