Search for sample security policies on the Web. Identify five EISP and five ISSP sample policies and bring them to class. Compare these with the framework presented in this chapter and comment on the policies’ comprehensiveness. (Whitman, 2017, p.177)
Five Enterprise Information Security Policies are-
- Kennesaw State University EISP: https://policy.kennesaw.edu/sites/web.kennesaw.edu.policy/files/enterpriseinformationsecuritypolicy_11212016.pdf
- State of Massachusetts EISP:
http://www.mass.gov/anf/docs/itd/policies-standards/ent-pol-sec-infosec-low-1-sb-docxsm-kp-docxsm.docx - The University of Iowa EISP:
https://itsecurity.uiowa.edu/resources/faculty-staff/enterprise-information-security-program - King County, Washington EISP:
http://www.kingcounty.gov/~/media/operations/it/governance/policies/Enterprise_Information_Security_Policy_signed.ashx?la=en - State of Utah EISP:
https://dts.utah.gov/policies/enterprise-information-security-policy
In the textbook “Management of Information Security”, Whitman, on the chapter on “Information Security Policies” (p. 147) states that an EISP should typically have “Purpose, Elements, Need, Roles and Responsibilities, and References.”1
The above five examples measure up to this yardstick as depicted in the table below-
Purpose | Elements | Need | Roles & Responsibilities | References | Other components | |
Kennesaw.edu | x | x | Definitions, Exceptions, Scope, Violations, Associated policies | |||
Mass.gov | x | Related Documents, Contact information | ||||
Uiowa.edu | Compliance | |||||
KingCounty.gov | Definitions, Exceptions | |||||
Utah.gov | x | x | x | x | Definitions, Enforcements |
Five Issue-Specific Security Policies are-
- DePaul University:
https://students.depaul.edu/~dmarkiew/coursework/is572/final/ISSP-WLAN.doc - Carnegie Mellon University:
http://www.cmu.edu/policies/information-technology/computing.html
- US Department of Agriculture:
https://www.ocio.usda.gov/sites/default/files/docs/2012/DR3140-001_0.htm - Penn State University:
http://guru.psu.edu/policies/AD20.html - University of Florida:
http://www.usf.edu/it/about-us/issp0000networksecurityplan.pdf
In the textbook “Management of Information Security”, Whitman, on the chapter on Information Security Policies” (p. 152, 153) states that an IISP should typically have “Statement of Purpose, Authorized Uses, Prohibited Uses, Systems Management, Violations of Policy, Policy Renew and Modification, and Limitations of Liability.”1
The above five examples measure up to this yardstick as depicted in the table below-
DePaul.edu | Cmu.edu | Ocio.usda.gov | Psu.edu | Usf.edu | |
Statement of Purpose | |||||
Authorized Uses | |||||
Prohibited Uses | |||||
Systems Management | |||||
Violations of Policy | |||||
Policy Renew and Modification | x | x | |||
Limitations of Liability | x |