Information Security Policies and Procedures: A Practitioner’s Reference, Second Edition illustrates how policies and procedures support the efficient running of an organization. This book is divided into two parts, an overview of security policies and procedures, and an information security reference guide. This volume points out how security documents and standards are key elements in the business process that should never be undertaken to satisfy a perceived audit or security requirement. Instead, policies, standards, and procedures should exist only to support business objectives or mission requirements; they are elements that aid in the execution of management policies. The book emphasizes how information security must be integrated into all aspects of the business process. It examines the 12 enterprise-wide (Tier 1) policies, and maps information security requirements to each. The text also discusses the need for top-specific (Tier 2) policies and application-specific (Tier 3) policies and details how they map with standards and procedures. It may be tempting to download some organization’s policies from the Internet, but Peltier cautions against that approach. Instead, he investigates how best to use examples of policies, standards, and procedures toward the achievement of goals. He analyzes the influx of national and international standards, and outlines how to effectively use them to meet the needs of your business. "Information Security Policies and Procedures: A Practitioner's Reference, Second Edition illustrates how policies and procedures support the efficient running of an organization. This book is divided into two parts: an overview of security policies and procedures and an information security reference guide. This volume points out how security documents and standards are key elements in the business process that should never be undertaken to satisfy a perceived audit or security requirement. Instead, policies, standards, and procedures should exist only to support business objectives or mission requirements; they are elements that aid in the execution of management policies."--Jacket The book illustrates how policies and procedures support the efficient running of an organization. This volume points out how security documents and standards are key elements in the business process, but should never be undertaken to satisfy a perceived audit or security requirement. Instead, policies, standards, and procedures should exist only to support business objectives or mission requirements; they are elements that aid in the execution of management policies. This treatment details how security policies support management's directions. The authors emphasize how information security mu 7.1 Federal Sentencing Guidelines for Criminal Convictions7.2 The Economic Espionage Act of 1996; 8 Business Requirements; 8.1 The Need for Controls; 8.2 Good Business Practices; 9 Where to Begin?; 10 Summary; Notes; Chapter 2; Why Manage This Process as a Project?; 1 Introduction; 2 First Things First: Identify the Sponsor; 3 Defining the Scope of Work; 4 Time Management; 5 Cost Management; 6 Planning for Quality; 7 Managing Human Resources; 8 Creating a Communications Plan; 8.1 Sample Communications Plan during Development of P & P; 8.2 Sample Communications Plan after Deployment; 9 Summary Chapter 3Planning and Preparation; 1 Introduction; 2 Objectives of Policies, Standards, and Procedures; 3 Employee Benefits; 4 Preparation Activities; 5 Core and Support Teams; 6 Focus Groups; 7 What to Look for in a Good Writer and Editor; 8 Development Responsibilities; 9 Other Considerations; 10 Key Factors in Establishing the Development Cost; 10.1 Research, Collect, and Organize the Information; 10.2 Conduct Interviews; 10.3 Write the Initial Draft and Prepare Illustrations; 10.4 Proofread and Edit; 10.5 Choosing the Medium; 10.6 Maintenance; 11 Reference Works; 12 Milestones 7.2.1 Thesis Statement7.2.2 Relevance; 7.2.3 Responsibilities; 7.2.4 Compliance; 7.2.5 Supplementary Information; 7.3 Application-Specific Policy (Tier 3); 8 Additional Hints; 9 Pitfalls to Avoid; 10 Summary; Chapter 5; Asset Classification Policy; 1 Introduction; 2 Overview; 3 Why Classify Information?; 4 What Is Information Classification?; 5 Where to Begin?; 5.1 Information Classification Category Examples; 6 Resist the Urge to Add Categories; 7 What Constitutes Confidential Information?; 8 Employee Responsibilities; 8.1 Owner; 8.2 Custodian; 8.3 User; 9 Classification Examples Front cover; Dedication; Contents; Acknowledgments; About the Author; Introduction; Part 1; Chapter 1; Introduction; 1 Corporate Policies; 2 Organizationwide (Tier 1) Policies1; Employment Practices; Standards of Conduct; Conflict of Interest; Performance Management; Employee Discipline; Information Security; Corporate Communications; Workplace Security; Business Continuity Plans (BCPs); Procurement and Contracts; Records Management; Asset Classification; 3 ORGANIZATIONWIDE POLICY DOCUMENT; 4 Legal Requirements; 5 DUTY OF LOYALTY; 6 Duty of Care; 7 Other Laws And Regulations 13 Responsibilities13.1 Corporate Responsibilities; 14 Development Checklist; 15 Summary; Chapter 4; Developing Policies; 1 Policy Is the Cornerstone; 2 Why Implement Information Security Policy?; 3 Some Major Points for Establishing Policies; 4 What Is a Policy?; 5 Definitions; 5.1 Policy; 5.2 Standards; 5.3 Procedures; 5.4 Guidelines; 6 Policy Key Elements; 7 Policy Format; 7.1 Global Policy (Tier 1); 7.1.1 Topic; 7.1.2 Scope; 7.1.3 Responsibilities; 7.1.4 Compliance or Consequences; 7.1.5 Sample Information Security Global Policies; 7.2 Topic-Specific Policy (Tier 2) INFORMATION SECURITY POLICIES AND PROCEDURES Introduction Corporate Policies Organizationwide (Tier 1) Policies Organizationwide Policy Document Legal Requirements Duty of Loyalty Duty of Care Other Laws and Regulations Business Requirements Where to Begin? Summary Why Manage This Process as a Project? Introduction First Things First: Identify the Sponsor Defining the Scope of Work Time Management Cost Management Planning for Quality Managing Human Resources Creating a Communications Plan Summary Planning and Preparation Introduction Objectives of Policies, Stand As security professionals, we often take the view that the overall objective of an information security program is to protect the integrity, confidentiality, and availability of that information.