Please enable JavaScript.
Coggle requires JavaScript to display documents.
Policy Levels - Coggle Diagram
Policy Levels
Enterprise Information Security Policy (EISP)
Sets strategic direction, scope, and tone for all security efforts within the organization
Executive-level document, usually drafted by or with Chief
Information Officer (CIO) of the organization
Address compliance in 2 areas
Ensure meeting of requirements to establish program assigning responsibilities therein to various organizational components
Use of specified penalties and disciplinary action
Elements include
Overview of corporate security philosophy
Information on the structure of the organization and people
in information security roles
Articulated responsibilities for security shared by all members of the organization
Articulated responsibilities for security unique to each role in
the organization
Systems-Specific Policy
SOPs in 2 groups
Managerial guidance
Technical specifications
Access control lists (ACLs) can restrict access for a particular user, computer, time, duration
Configuration rule policies govern how security system reacts to received data
Combination SysSPs combine managerial guidance and technical specifications
Issue-Specific Security Policy (ISSP)
Addresses
Addresses specific areas of technology
Requires frequent updates
Contains statement on the organization’s position on
specific issue
Approach
Create a number of independent ISSP documents
Create a single comprehensive ISSP document
Create a modular ISSP document