Policy Levels

Enterprise Information Security Policy (EISP)

Sets strategic direction, scope, and tone for all security efforts within the organization

Executive-level document, usually drafted by or with Chief
Information Officer (CIO) of the organization

Address compliance in 2 areas

Ensure meeting of requirements to establish program assigning responsibilities therein to various organizational components

Use of specified penalties and disciplinary action

Elements include

Overview of corporate security philosophy

Information on the structure of the organization and people
in information security roles

Articulated responsibilities for security shared by all members of the organization

Articulated responsibilities for security unique to each role in
the organization

Issue-Specific Security Policy (ISSP)

Addresses

Addresses specific areas of technology

Requires frequent updates

Contains statement on the organization’s position on
specific issue

Approach

Create a number of independent ISSP documents

Create a single comprehensive ISSP document

Create a modular ISSP document

Systems-Specific Policy

SOPs in 2 groups

Managerial guidance

Technical specifications

Access control lists (ACLs) can restrict access for a particular user, computer, time, duration

Configuration rule policies govern how security system reacts to received data

Combination SysSPs combine managerial guidance and technical specifications