Issue-Specific Security Policy Chapter 4 Pg 124 The issue-specific security policy deals with what you can and

d cannot do with an organizations computer, network, equipment, data and/or information, exceptions to the rules, violation of law, revocation of access privileges, security policies and procedures, security controls enforceability and who the targeted audience is. This may seem a little daunting to the targeted audience member, but they need to remember that data, information and equipment that is used to perform their jobs is vital to the organizations bottom-line, survivability and day-to-day operations. In other words, its the organizations property and they what it to be there for others to use, so they want it to remain locatable, serviceable and unmolested. An example of an issue-specific security policy may dictate that electronic mail (email) on company computers will be for company business only and no solicitation of any kind is allowed via email on company computers. It may dictate that first time failure to abide by the issuespecific security policy results rereading the specific issue-specific security policy with your manager and signing a warning letter. The warning letter would spell out the penalties for future indiscretions to include limited or loss of access or termination. These policies were derived because issues like and others have happened in almost every organization, which results in loss of production, which mean loss of revenue. The idea is to keep workers focused on business the benefits the organization, not themselves. I believe for the issue-specific security policy to be effective within an organization, the following items need to be addressed: Dissemination The policy is readily available to all workers to review and is usually done through hard copies and soft copies. Review The disseminated document is in intelligible form to include versions for reading-impaired employees. Comprehension Do employees thoroughly understand the policy and what is expected of them? Compliance Employee confirm compliance through their acts and confirmation, this is usually done through signing compliance paperwork, company computer login notices and banners. Enforcement Company needs to show that it enforces the policy uniformly. Chapter 5: What functions constitute a complete information security program? A complete information security program is exclusive to an organization as it is based on the culture, size and the budget of that organization. This is also based on the organizations strategic plans, vision, goals and objectives and how they convey the organizations mission. To break it down further the information security program can also be broken down into the following areas:

centralized authentication, compliance, incident response, legal assessment, network security administration, planning, risk assessment, risk management, system security administration, system testing and vulnerability assessment. These areas are not exclusive nor are they allencompassing, but are the areas that are usually associated with an information security program within an organization. Chapter 6: What are the three areas of the SETA program? The three areas of the SETA program are as follows: Security Education It is used for those individuals that do not have the background or experience to perform their jobs in the security department of an organization. This also extends to individuals who have the necessary background and experience, but are looking to expand that background and experience with higher or advanced courses. Security Training This involves training individuals of an organization with the detailed information and hands-on instructions in order for the individuals to perform their duties steadily. Training programs can be either accomplished in-house or outsourced; partially or all. NIST SP 800-16 Information Technology Security Training Requirements: A Role-and Performance-Based Model is a manual with almost 200-pages with extensive training development in it, many organizations with an information security have used this to develop comprehensive security training programs. Security Awareness This keeps security at the forefront of the users minds on a daily basis, while inspiring a sense of responsibility and purpose in employees who deal with information. It is designed to alter the employees behavior when it comes to information security by educating employees proper handling techniques, proper use of applications and risk mitigation. If management does not set a good example they can be quickly undermined without proper security training and awareness. Salient Point 1 Motivating Management and Employees (Whitman, M & Mattord, H, 2010, Ch.5, p.197) To successfully motivate management and employees, SETA program designers need to show both the management and employees how their involvement benefits the organization. Demonstrating the possible losses from computer security and the function that training plays might open the eyes of management and motivate them? Explaining how employees are accountable for their actions and proper training designed by SETA program members can mitigate or eliminate the chances an employee might wander into a forbidden realm within the company. Presenting to both management and employees that the SETA program designers are

there to help and aide them, may also eliminate and negative connotations that maybe associated with the SETA program in general. Salient Point 2 Categories of Access Control (Whitman, M & Mattord, H, 2010, Ch.6, p.214) There are six categories that address access control, each describing a function or a set of functions to aid in each access control area. The six categories of address access control are broken down into three different fields. Those fields are Management, Operational and Technical. Preventative These are controls that help the organization prevent an incident Deterrent These are controls that deter or dissuade an initial incident Detective These are controls that detect or identify threats or incident after an incident happens Corrective These are controls that remedy a situation after an incident happens Recovery These are controls that return operations back to normal after an incident happens Compensating These are controls that resolve shortcomings An example of the three fields within the six access control categories would be for the category Deterrent: Management Policies, Operational Warning Signs, Technical Warning Banners. Salient Point 3 What is the Graham-Denning Access Control Model? (Whitman, M & Mattord, H, 2010, Ch.6, p.223) The Graham-Denning Access Control Model has three parts objects, subjects, and rights. The subjects are composed of two parts: a process and a domain. The domain is a set of limitation how subjects can access objects. Subjects may be objects at specific times and rights govern how the subjects can manipulate the passive objects. The Graham-Denning model describes eight archaic protection rights called commands that subjects can execute that have an effect on other subjects or objects. The eight archaic protection commands are as follows: 1) 2) 3) 4) Create Object Create Subject Delete Object Delete Subject

5) 6) 7) 8)

Read Access Rights Grant Access Rights Delete Access Rights Transfer Access Rights

References Whitman, M. E. (2011). Management of information security. Stamford: Cengage Learning.