Scribd
Upload
32 views17 pages

Lec 4

The document outlines various information systems security policies related to the User Domain, including the Security Awareness Policy (SAP), Acceptable Use Policy (AUP), and Privileged-Level Access Agreement (PAA). It emphasizes the importance of governing user behavior to mitigate risks and ensure compliance, detailing the roles of different managers in policy development and implementation. Additionally, it highlights the need for a culture of security awareness among users, who are often considered the weakest link in the security chain.

Uploaded by

kaser7840
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
32 views17 pages

Lec 4

The document outlines various information systems security policies related to the User Domain, including the Security Awareness Policy (SAP), Acceptable Use Policy (AUP), and Privileged-Level Access Agreement (PAA). It emphasizes the importance of governing user behavior to mitigate risks and ensure compliance, detailing the roles of different managers in policy development and implementation. Additionally, it highlights the need for a culture of security awareness among users, who are often considered the weakest link in the security chain.

Uploaded by

kaser7840
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Security Policies and

Implementation Issues

Lesson 4
User Policies

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company


www.jblearning.com
All rights reserved.
Learning Objective

• Describe the different information


systems security (ISS) policies associated
with the User Domain.
Key Concepts

• Reasons for governing users with policies


• Regular and privileged users
• Acceptable use policy (AUP) and
privileged-level access agreement (PAA)
• Security awareness policy (SAP)
• Differences between public and private
User Domain policies
Security Awareness Policy (SAP)

• Addresses:
• Basic principles of information security
• Awareness of risk and threats
• Dealing with unexpected risk
• Reporting suspicious activity, incidents,
and breaches
• Building a culture that is security and
risk aware
Acceptable Use Policy (AUP)

• Attempts to protect an organization's computers and


network
• Addresses password management
• Addresses software licenses
• Addresses intellectual property management
• Describes e-mail etiquette
• Describes the level of privacy an individual should
expect when using an organization's computer or
network
• Describes noncompliance consequences
Privileged-Level Access Agreement
(PAA)
• Acknowledges the risk associated with elevated
access in the event the credentials are breached or
abused
• Asks user to promise to use access only for approved
organization business
• Asks user to promise not to attempt to “hack” or
breach security
• Asks user to promise to protect any output from
these credentials such as reports, logs, files, and
downloads
Different types of Users within an
Organization
Example of User Types
User-Access Requirements
Who Develops User Policies

• Chief financial officer (CFO)


• Chief operations officer (COO)
• Information security manager
• IT manager
• Marketing and sales manager
• Unit manager
• Materials manager
• Purchasing manager
• Inventory manager
Roles and Responsibilities
Roles and Responsibilities
• Executive Managers
• Responsible for governance and compliance requirements, and funding
and policy support
• Program and Functional Managers
• Responsible for security management, planning, and implementation;
also risk management and contingency planning
• IT Security Program Managers
• Responsible for broad training in security planning, system and
application security management, risk management, and contingency
planning
• Auditors
• Responsible for auditing log files and reviewing policies and
implemented controls.
• All Users
• Responsible for basic security
Differences and Similarities in User
Domain Policies
Differences and Similarities in User
Domain Policies
The User as the Weakest Link in the
Security Chain
The User as the Weakest Link in the
Security Chain

You might also like