Question

1. Describe ethics, which are based on cultural mores and express the fixed moral attitudes or customs of a particular group. Some ethics are recognized as universal among cultures.

2. Explain how within an organization, information security professionals help maintain security via the establishment and enforcement of policies.

3. Explain how policies function as laws and must be crafted with the same care to ensure that they are complete, appropriate, and fairly applied to everyone in the workplace.

4. Describe management’s role in the development, maintenance, and enforcement of information security policy, standards, practices, procedures, and guidelines

You can use this book Michael E. Whitman, Principles of Information Security, 6th Edition

Answer 1

Answer 1:

Ethics define socially acceptable behaviors. Ethics in turn are based on cultural mores: the fixed moral attitudes or customs of a particular group. Some ethical standards are universal. For example, murder, theft, assault, and arson are actions that deviate from ethical and legal codes throughout the world.In one sentence, law sets the minimum standard of human behavior while ethics sets maximum standard of human behavior. Law prescribes remedies and punishments for the violation of the standards it sets while ethics expects an ideal set of behavior of individuals concerned. Moral and ethical values can be instrumental in guiding the law making.

Answer 2:

Information security professionals help maintain security via the establishment and enforcement of policies. Thus, for a policy to become enforceable, it must meet the following five criteria:

● Dissemination (distribution)—The organization must be able to demonstrate that the relevant policy has been made readily available for review by the employee. Common dissemination techniques include hard copy and electronic distribution.

● Review (reading)—The organization must be able to demonstrate that it disseminated the document in an intelligible form, including versions for illiterate, non-English reading, and reading-impaired employees. Common techniques include recordings of the policy in English and alternate languages.

● Comprehension (understanding)—The organization must be able to demonstrate that the employee understood the requirements and content of the policy. Common techniques include quizzes and other assessments.

● Compliance (agreement)—The organization must be able to demonstrate that the employee agreed to comply with the policy through act or affirmation. Common techniques include logon banners, which require a specific action (mouse click or keystroke) to acknowledge agreement, or a signed document clearly indicating the employee has read, understood, and agreed to comply with the policy.

● Uniform enforcement—The organization must be able to demonstrate that the policy has been uniformly enforced, regardless of employee status or assignment.

Answer 3:

Within an organization, information security professionals help maintain security via the establishment and enforcement of policies. These policies—guidelines that describe acceptable and unacceptable employee behaviors in the workplace—function as organizational laws, complete with penalties, judicial practices, and sanctions to require compliance. Because these policies function as laws, they must be crafted and implemented with the same care to ensure that they are complete, appropriate, and fairly applied to everyone in the workplace. The difference between a policy and a law, however, is that ignorance of a policy is an acceptable defense.

Answer 4:

Management must make the policies basis for all information security , planning , design and deployment. Policies direct how issues are addressed and hoew technologies are used. Information security is primarily a mamnagement problem not a technical one, quality security programs begins and ends with policy.

• Creation of information security program begins with creation and/or review of organization’s information security policies, standards, and practices
• Then, selection or creation of information security architecture and the development and use of a detailed information security blueprint creates plan for future success
• Without policy, blueprints, and planning, organization is unable to meet information security needs of various communities of interest.

Policy Management

• Policies must be managed as they constantly change
• To remain viable, security policies must have:
  • Individual responsible for reviews
  • A schedule of reviews
  • Method for making recommendations for reviews
  • Specific policy issuance and revision date.