1. Discuss the purpose of an Information Security Policy and how it fits into an effective information security architecture. Your discussion should include the different levels of policies and what should be covered in an information security policy.
A security policy should fulfill a multitude of purposes which a few are: Protecting people, information and setting the rules for behavior by all company personnel. Authorizing security personnel to monitor, probe and investigate. Defining consequences of violations and security baselines. Minimizing risk. Tracking compliance with regulations. An Information Security Policy is comprised of an overall Master Security Policy which states the goals of Senior Management. It also contains the …show more content…
Advisory policies such as Acceptable Use, Business Continuity, Risk Management, and Data Protection, advise members of an organization what they should or should not do. Informative policies can be the one most subject to change as they provide information on specific concerns the organization has such as social engineering scams like Phishing or ransomware. They often are meant to be educational in nature to prevent members from falling victim. Each of the policies will define the standards and guidelines clearly to help management and members during implementation to meet security goals. As for what one covers in an information security policy depends on what business sector the organization falls under. For instance, a hospital will be concerned with HIPPA and not SOX compliance. Additional informative policies would concern Phishing or ransomware. IBM would be concerned with SOX reporting regulations and would stress advisory policies on discussion of intellectual property.
2. Discuss how an organization can apply the information life cycle to protect …show more content…
Data then resides on computer registers while the CPU makes use of it. This can leave it vulnerable to rootkits if machines are not sufficiently safeguarded. Endpoint Data Leakage Prevention (EDLP) is critical to catch unauthorized information leaving a network in case there is a problem with a rootkit. EDLP is also critical for archived data to ensure it does not leave the network unexpectedly. Data in motion is also a critical state. Data in motion is data in the state transmission on the network. Point to point VPN tunnels with IPsec/TSL/DTSL encryption capabilities provide security in transit. To further increase security, one can encrypt the data before the transmission encryption process. Data in archive and rest is less vulnerable than in use data, if sufficient safeguards are in place. Data at rest resides on storage devices such as hard drives. Drive encryption such as bit locker which encrypts the entire hard drive except for the boot volume can be beneficial. This encryption used in conjunction with additional file encryption adds an additional security layer. One additional fact is that archived data needs requirements to check for data leakage which is the unauthorized transfer of data. The data policy needs to specify that Archiving will continue evaluation of such data to determine if still has required value. At that point, one designates data for
A security policy should fulfill a multitude of purposes which a few are: Protecting people, information and setting the rules for behavior by all company personnel. Authorizing security personnel to monitor, probe and investigate. Defining consequences of violations and security baselines. Minimizing risk. Tracking compliance with regulations. An Information Security Policy is comprised of an overall Master Security Policy which states the goals of Senior Management. It also contains the …show more content…
Advisory policies such as Acceptable Use, Business Continuity, Risk Management, and Data Protection, advise members of an organization what they should or should not do. Informative policies can be the one most subject to change as they provide information on specific concerns the organization has such as social engineering scams like Phishing or ransomware. They often are meant to be educational in nature to prevent members from falling victim. Each of the policies will define the standards and guidelines clearly to help management and members during implementation to meet security goals. As for what one covers in an information security policy depends on what business sector the organization falls under. For instance, a hospital will be concerned with HIPPA and not SOX compliance. Additional informative policies would concern Phishing or ransomware. IBM would be concerned with SOX reporting regulations and would stress advisory policies on discussion of intellectual property.
2. Discuss how an organization can apply the information life cycle to protect …show more content…
Data then resides on computer registers while the CPU makes use of it. This can leave it vulnerable to rootkits if machines are not sufficiently safeguarded. Endpoint Data Leakage Prevention (EDLP) is critical to catch unauthorized information leaving a network in case there is a problem with a rootkit. EDLP is also critical for archived data to ensure it does not leave the network unexpectedly. Data in motion is also a critical state. Data in motion is data in the state transmission on the network. Point to point VPN tunnels with IPsec/TSL/DTSL encryption capabilities provide security in transit. To further increase security, one can encrypt the data before the transmission encryption process. Data in archive and rest is less vulnerable than in use data, if sufficient safeguards are in place. Data at rest resides on storage devices such as hard drives. Drive encryption such as bit locker which encrypts the entire hard drive except for the boot volume can be beneficial. This encryption used in conjunction with additional file encryption adds an additional security layer. One additional fact is that archived data needs requirements to check for data leakage which is the unauthorized transfer of data. The data policy needs to specify that Archiving will continue evaluation of such data to determine if still has required value. At that point, one designates data for