Security Policies

I really appreciated the 5 days of CISSP preparation with a huge synthesis of the important points of the two reference books CISSP, allowing to effectively deal in 5 days of preparation all the perimeter of the 10 CBK and to save a lot of time of revision. 

The small group allowed a lot of interactivity and exchanges and, despite a very dense program, we managed to treat everything in a good atmosphere.

A security policy can be :

An organizational policy  that dictates how a security program will be set up, lays out the program’s goals, assigns responsibilities, shows the strategic and tactical value of security, provides the scope and direction for all future security activities within the organization, and describes the amount of risk senior management is willing to accept. This policy must address relative laws, regulations, and liability issues, and how they are to be satisfied.  

Issue-specific policy  (functional implementing policy) that addresses specific security issues that management feels need more detailed explanation and attention to make sure a comprehensive structure is built and all employees understand how they are to comply with these security issues.

System-specific policy that presents the management’s decisions specific to the actual computers, networks, applications, and data. This type of policy provides how systems are to be used and what would be an approved and secured configuration compliant with the organization’s business needs.