Issue-Specific Security Policy is one among three other Information security Policy. I found Issue-specific security policies (ISSP) more common policy used by business and organizations. Issue-specific policies may cover electronic mail, use of internet, Home use of company-owned computer equipment, use of personal equipment on company networks, use of telecommunications technologies etc. It provides a detailed, targeted guidance to instruct all members of the organizations in the use of resources.
The overall objective of ISSP is pretty clear. It assures employees and members of organization what resources can be used and what cannot be used. An effective ISSP is a binding agreement between parties (the organization and its members) and shows that the organization has made good faith effort to ensure that its technology will not be used in an inappropriate manner. (p. 134, Whitman, Mattford)
Every Organization’s ISSP has three characteristics
Ø It addresses specific technology-based resources.
Ø It requires frequent updates.
Ø It contains an issues statement explaining the organization’s position on a particular issue.
Components of a typical ISSP:
1. Statement of Purpose
a. What is the scope of the policy
b. What technology and issue it addresses
c. Who is responsible and accountable for policy implementation
2. Authorized access and usage
a. Who can use the technology governed by the policy
b. What the technology can be used for
c. What constitutes ‘fair and responsible’ use of technology and it may impact ‘personal information and privacy’
3. Prohibitive use of equipment
a. What constitutes disruptive use, misuse , criminal use
b. What other possible restrictions may apply
4. System management
a. Which kind of authorized employer monitoring is involved (e.g. electronic scrutiny of email & other electronic documents)
5. Violation of Policy
a. What specific penalties, for each category of violation, will apply
b. How to report observed or suspected violations – openly or anonymously
6. Policy review and modifications
a. How is the review and modification of the policy performed, so as to keep as ‘current’ as possible
7. Limitation of Liability
a. How is liable if an employee violates a company policy or law
Whitman, M.E., & Mattord, H.J. (2014). Management of Information Security (4th ed.). Stamford, Cengage Learning
No comments:
Post a Comment