Information Security

1. List and describe the three challenges in shaping policy.

• Policy should never conflict with the law



This ensures the organization is complying with the laws of their jurisdiction and avoids being liable in the process.



• Policy must be able to stand up in court if challenged



Since policies are intended to add control and security, it is only logical that they can be able to aid with law processes. As such, when questioned in the court of law, policies developed after consulting the law must be able to stand up in court.



• Policy must be properly supported and administered



There should be measures in place, compliance, and liability to ensure these policies will be followed. The right channel must be followed to make policies and administer them without cutting corners.

2. List and describe the three guidelines for sound policy, as stated by Bergeron and BÉrubÉ.

• Policy must contribute to the success of the organization



Policies must be tailored to the specific needs of the organization because it would make little sense to have policies that are not well aligned with the organization. This helps the overall purpose of the organization, ensuring its success as policy is the least expensive means of control.



• Management must ensure the adequate sharing of responsibility for proper use of information systems



This encourages everyone to be active participants in the safeguarding and protection of the organization including the employees and other shareholders.



• End users should be involved in the policy development process



Since end users are the most important shareholders as they are the customers, their say will help shape the policies the organization employees ensuring their effectiveness.

3. Describe the bull’s-eye model. What does it say about policy in the InfoSec program?

The bull’s eye model emphasizes the role of policy on an InfoSec program. Since organizations are different sizes and have different needs for policy, it is only right that each organization has the best policy to ensure no confusion, or the demoralization of employees occurs. As a result, the bull’s eye model provides a proven mechanism for prioritizing complex changes. Issues are addressed by moving from general to the specific, always starting with policy. As such, its four steps are policies, networks, systems and finally applications. By making sure that policies are set and right, then organizations can move on and protect the other aspects of the organization without being too stringent or demoralizing employees.

4. In what way are policies different from standards?

Policies are a set of rules that dictate acceptable and unacceptable behavior within an organization while standards clarify and define exactly what it means and what the organization will do to stop the behavior.

5. In what way are policies different from procedures?

Policies are a set of rules that dictate acceptable and unacceptable behavior within an organization while procedures explain how employees are to comply with the said policy.