Friday, March 14, 2014

Part V-1: Corporate Information Security Policy

<- Previous Post | Main Post | Book review | Next Post ->

Attacks Seem Not to Be as Often Because ….

Nine out of ten companies have been attacked, but only one out of three reports security incidents. There are several reasons for this. Here are a few:
  • The company might not know about the incidents.
  • The incidents tarnish company’s reputation.
  • The incidents may attract more attackers.

Developing Policies

     Start with risk management. You should first know which of your assets worths protecting, how likely is it going to be attacked, and how much are you willing to pay to protect it? When you know about this, you are ready to step 2.
     Step 2 is to get the support from top-level management. You need a support, not just a promise from the managements that they will not be standing in your way. They need to understand the importance and the urgency of security. They need to be committed to the policy development process.
    Now, we are ready to draft a policy. The policy should be free of technical jargons. Everyone should be able to understand it. But, more importantly, everyone should understand the importance of having security policies. Next, based on these policies, set up supporting programs. These include penalty measures for those not abiding by the rules, reward programs for those who help catching attackers, and security awareness training program. 
     Attackers evolves to defense, and so should security policies. Periodically perform penetration test. Gather the results from the test as well as those from other sources to improve your corporate information security policies. 

Verification and Authorization Procedures

     This can be done in three key steps (see the details in [the book]): 

  • Verification of identity
  • Verification of employee status
  • Verification of need-to-know

Examples of Information security Policies

     There are a lot of example policies and suggestions in the book. I will just show the key topic. If you are interested you should read this chapter. In fact, I think, this chapter can be used as a starting point, if you are to draft information security policies for your corporate     
Management policies: Data classification, information disclosure, phone administration, miscellaneous
Information technology policies: General, help desk, computer administration, computer operations

  • Policies for all employees: General, computer/email/phone/fax/voice mail use, passwords, thin client
  • Policies for human resources
  • Policies for physical security
  • Policies for receptionists
  • Policies for the incident reporting group


Book or Audiobooks?
          Personally, I prefer audiobooks. It's fun, and I can listen when I'm doing something else. It also makes other activities (e.g., jogging) a lot more fun. For more detail about audiobooks, please read [this post].   
          There is one more reason that may encourage you to go for the audiobook version. You can get it now for FREE. Audible offers you a free trial for 14 days. Even if you get the book and cancel the subscription right away (so that you don't have to pay), you can keep the book. And, don't worry if you lost the audiobook file. Just log into You can keep downloading the over and over again.
   About the summary: It takes time to finish up a book. And, when you do, sometimes, you want to review what you learn from the book. If you do not make  notes as you read, you might have to go through the book once again. This can be time-consuming when you are dealing with a book. But you can still flip through the book and locate what you are looking for.

However, when the material is an audiobook, it is extremely hard to locate a specific part of content. Most likely you will have to listen to the entire audiobook once again.

This book summary will help solve the pain of having to go through the book all over again.

I am leaving out the details of the books. Most books have interesting examples and case studies, not included here. Reading the original book would be much more entertaining and enlightening. If you like the summary, you may want to get the original from the source below.

1 comment:

  1. Great Article
    Cyber Security Projects

    projects for cse

    Networking Projects

    JavaScript Training in Chennai

    JavaScript Training in Chennai

    The Angular Training covers a wide range of topics including Components, Angular Directives, Angular Services, Pipes, security fundamentals, Routing, and Angular programmability. The new Angular TRaining will lay the foundation you need to specialise in Single Page Application developer. Angular Training