Part 1: Review Questions
- What is information security policy? Why is it critical to the success of the information security program?
- For a policy to have any effect, what must happen after it is approved by management? What are some ways this can be accomplished?
- List and describe the three types of information security policy as described by NIST SP 800-14
- List and describe the three approaches to policy development presented in the text. In your opinion, which is better suited for use by a smaller organization, and why? If the target organization were very much larger, which approach would be superior and why?
Part 2: Module Practice
Using the framework presented in this chapter, draft a sample issue-specific security policy for an organization. At the beginning of your document, describe the organization for which you are creating the policy, and then complete the policy using the framework. What other scenarios do you think are important enough to need a plan?