SYALLBUS

UNIT - I:
Introduction to Computer Security: Definition, Threats to security, Government requirements,
Information Protection and Access Controls, Computer security efforts, Standards, Computer
Security mandates and legislation, Privacy considerations, International security activity
UNIT – 2
Secure System Planning and administration, Introduction to the orange book, Security policy
requirements, accountability, assurance and documentation requirements, Network Security,
The Red book and Government network evaluations.
UNIT – 3
Information security policies and procedures: Corporate policies- Tier 1, Tier 2 and Tier3
policies - process management-planning and preparation-developing policies-asset
classification policy developing standards.

03-06-2021 DEPT OF CSE 2

 SYALLBUS
UNIT – 4
Information security: fundamentals-Employee responsibilities- information classification-
Information handling- Tools of information security- Information processing-secure program
administration

UNIT - 5:
Organizational and Human Security: Adoption of Information Security Management
Standards, Human Factors in Security- Role of information security professionals.

03-06-2021 DEPT OF CSE 3

 SYALLBUS

REFERENCES:
1. Debby Russell and Sr. G. T Gangemi, "Computer Security Basics (Paperback)”, 2nd
Edition, O’ Reilly Media, 2006.
2. Thomas R. Peltier, “Information Security policies and procedures: A Practitioner’s
Reference”, 2nd Edition Prentice Hall, 2004.
3. Kenneth J. Knapp, “Cyber Security and Global Information Assurance: Threat Analysis and
Response Solutions”, IGI Global, 2009.
4. Thomas R Peltier, Justin Peltier and John blackley,” Information Security Fundamentals”,
2nd Edition, Prentice Hall, 1996
5. Jonathan Rosenoer, “Cyber law: the Law of the Internet”, Springer-verlag, 1997
6. James Graham, “Cyber Security Essentials” Averbach Publication T & F Group.

03-06-2021 DEPT OF CSE 4

 SYALLBUS

COURSE OBJECTIVES

1. To make the students understand the types of roles they are expected to play in the society
as practitioners of the civil engineering profession
2. To develop some ideas of the legal and practical aspects of their profession.

COURSE OUTCOMES
1. The students will understand the importance of professional practice, Law and Ethics in
their personal lives and professional careers.
2. The students will learn the rights and responsibilities as an employee, team member and a
global citizen
.

03-06-2021 DEPT OF CSE 5

 • UNIT – 3
Information security policies and procedures: Corporate policies- Tier 1, Tier 2
and Tier3 policies - process management-planning and preparation-developing
policies-asset classification policy developing standards.

03-06-2021 DEPT OF CSE 6

INFORMATION SECURITY POLICIES AND PROCEDURES
• As security professionals, we often take the view that the overall objective of an
information security program is to protect the integrity, confidentiality, and
availability of that information.
• from a security perspective, it is not the organization objective.
• Information is an asset and is the property of the organization.
• As it is an asset, management is expected to ensure that appropriate levels of
control are inplace to protect this resource.
• An information protection program should be part of any organization’s overall
asset protection program.
• This program is not established to meet security needs or audit requirements;
• it is a business process that provides management with the processes needed to
perform the fiduciary responsibility.
• An information security program that includes policies, standards, and procedures
will allow management to demonstrate a standard of care.
03-06-2021 DEPT OF CSE 7
• As information security professionals, it is our responsibility to
implement policies that reflect the business and mission needs of the
enterprise.
• This chapter examines the reasons why information security policies
are needed and how they fit into all elements of the organization.
• The development of information security policies is neither an
information technology or audit responsibility, nor do these policies
remain solely in these areas.
• Such as employement practices, Employee Standards of Conduct,
Conflict of Interest, Performance Management, Employee Discipline,
Information Security, etc.,

03-06-2021 DEPT OF CSE 8

The concept of information security must permeate through all of the organization’s
policies.
This chapter discusses eleven organizationwide policies and, at a minimum, what
each should have with reference to information security.
The policies initially discussed are high-level (Tier 1) organization-wide
policies and include the following:
a) Employment practices b) Employee Standards of Conduct
c) Conflict of Interest d) Performance Management
e) Employee Discipline f) Information Security
g) Corporate Communications h) Procurement and Contracts
i) Records Management j) Asset Classification
k) Workplace Security l) Business Continuity Planning

03-06-2021 DEPT OF CSE 9

CORPORATE POLICIES
• Most organizations have a standard set of policies that govern the way they
perform their business.
• Corporate policies categorized into three levels.
• tier1 policies, tier2 policies and tier3 policies.
• Tier1 policies(included eleven policies): tier1 one policy is implemented to
support the entire business or mission of the enterprise.
• Tier2 policies: tier2 policies are topic-specific policies and address issues related
to specific subject matter
• Tier3 policies: The Tier 3 policies address the requirements for using and
supporting specific applications.

03-06-2021 DEPT OF CSE 10

Tier1 Policy:

03-06-2021 DEPT OF CSE 11

• Tier1 policy is called organization-wide policies employment.
• This is the policy that describes the processes required to ensure that all
candidates get an equal opportunity when seeking a position with the
organization.
• This policy discusses the organization’s hiring practices and new employee
orientation.
• It is during the orientation phase that new employees should receive their first
introduction to the information security requirements.
• Included in this process is a Nondisclosure Agreement or Confidentiality
Agreement.
• These agreements require the signatory to keep confidential information secret and
generally remain in effect even after the employee leaves the organization.
• The employment policies should also include condition-of-employment
requirements such as background checks for key management levels or certain
jobs.

03-06-2021 DEPT OF CSE 12

• A side part to the Employment policy and the Performance policy is the
publication of job descriptions for every job level.
• These descriptions should include what is expected of employees regarding
information security requirements.

Standards of Conduct
• This policy addresses what is expected of employees and how they are to conduct
themselves when on company property or when representing the organization.
• This policy normally discusses examples of unacceptable behavior (dishonesty,
sleeping on the job, substance abuse, introduction of unauthorized software into
company systems) and the penalties for infractions.
• Also included in this policy is a statement that “Company management has the
responsibility to manage enterprise information, personnel, and physical
properties relevant to their business operations, as well as the right to monitor
the actual utilization of these enterprise assets.”
03-06-2021 DEPT OF CSE 13
• Information security should also address confidential information: “Employees
shall also maintain the confidentiality of corporate information.
• A discussion on unacceptable conduct is generally included in an employee code
of conduct policy; this should include a discussion on unauthorized code and
copyright compliance.
Conflict of Interest
• Company employees are expected to adhere to the highest standards of conduct.
• To assure adherence to these standards, employees must have a special sensitivity
to conflict-of-interest situations or relationships, as well as the inappropriateness
of personal involvement in them.
• While not always covered by law, these situations can harm the company or its
reputation if improperly handled.
• This is where discussions about due diligence will be addressed. Many
organizations restrict conflict-of-interest policy requirements to management
levels; all employees should be required to annually review and sign a
responsibility statement.
03-06-2021 DEPT OF CSE 14
Performance Management
• This policy discusses how employee job performance is to be used in determining
an employee’s appraisal.
• Information security requirements should be included as an element that affects
the level of employee performance.
• As discussed, having job descriptions for each job assignment will ensure that
employees are reviewed fairly and completely at least annually on how they do
their job and part of that includes information security.
Employee Discipline
• When things go wrong, this policy outlines the steps that are to be taken.
• As with all policies, it discusses who is responsible for what and leads those
individuals to more extensive procedures.
• This policy is very important for an effective information security program.
• When an investigation begins, it may eventually lead to a need to implement
sanctions on anemployee or group of employees.
• Having a policy that establishes who is responsible for administering these
03-06-2021
sanctions will ensure that all involvedDEPT
inOFthe
CSE
investigation are properly protected. 15
Information Security
• This is the cornerstone of the information security program and works in close
harmony with the enterprise-wide Asset Classification Policy and the Records
Management Policy.
• This policy established the concept that information is an asset and the property of
the organization, and that all employees are required to protect this asset.
Corporate Communications
• This policy will support the concepts established in the Employee Standards of
Conduct, which address employee conduct and include harassment whether
sexual, racial, religious, or ethnic.
• The policy also discusses libelous and slanderous content and the organization’s
position on such behavior.
• The policy also addresses requests from outside organizations for information.
• This will include media requests for information as well as representing the
organization by speaking at or submitting whitepapers for various business-related
conferences or societies.
03-06-2021 DEPT OF CSE 16
Workplace Security
• Workplace security policy addresses the need to provide a safe and secure work
environment for the employees.
• The need to implement sound security practices to protect employees, organization
property, and information assets is established here.
• Included in this policy are the basic security tenets of authorized access to the
facility, visitor requirements, property removal, and emergency response plans,
which include evacuation procedures. Business Continuity Plans (BCPs)
• For years this process was relegated to the Information Technology department
and consisted mainly of the IT disaster recovery plan for the processing
environment.
• The proper focus for this policy is the establishment of business unit procedures to
support restoration of critical business processes, applications, and systems in the
event of an outage.

03-06-2021 DEPT OF CSE 17

Included in the Business Continuity Plan Policy are the needs for business units to:
Establish effective continuity plans.
Conduct business impact analyses for all applications, systems, and
business processes.
Identify preventive controls.
Coordinate the business unit BCP with the IT disaster recovery plan.
Maintain the plan to a current state of readiness.
Procurement and Contracts
• This policy establishes the way in which the organization conducts itsbusiness
with outside firms.
• This policy addresses those items that mustbe included in any contract, and this
includes language that discusses theneed for third parties to comply with
organization’s policies, procedures,and standards.
03-06-2021 DEPT OF CSE 18
• This policy is probably one of the most important for information security and
other organization policies and standards.
• We can only write policies and establish standards and procedures for employees;
all other third parties must be handled contractually.
• It is very important that the contract language references any policies, standards,
and procedures that are deemed appropriate.
• Work with the procurement group and legal staff to ensure that purchase orders
and contracts have the necessary language.
• It would be wise to include a confidentiality or nondisclosure agreement. An
example of a confidentiality agreement is included in the Sample Policy and
Standards section of this book.

03-06-2021 DEPT OF CSE 19

Records Management
• This policy was previously referred to as Records Retention, but the concept has
been fined.
• Most organizations know that there will be a time when it will be necessary to
destroy records.
• The Records Management Policy will establish the standards for ensuring
information is there as required by regulations and when it is time to properly
dispose of the information.
This policy normally establishes:
✓The record name
✓A brief description of the record
✓The owning department
✓The required length of time to keep the record

03-06-2021 DEPT OF CSE 20

Asset Classification
• Asset classification policy establishes the need to classify information, the
classification categories, and who is responsible for doing so.
• It normally includes the concepts of employee responsibilities, such as the
Owner, Custodian, and User.
• It is a companion policy to the Records Management Policy in that it adds the
following two elements information in records identification then it become asset
classification.
✓The classification level
✓The owner’s job title

03-06-2021 DEPT OF CSE 21

Policy Format
The actual physical format (layout) of the policy will depend on what policies look
like in your own organization.
Policies are generally brief in comparison to procedures and normally consist of one
page of text using both sides of the paper. While writing a policy, balance the
attention.

Ex: In my classes I stress the concept of brevity. However, it is important to balance

brevity with clarity.
Utilize all the words you need to complete the thought, but fight the urge to add
more information,
span time limit with what needs to be addressed. Keep it brief but
make it understandable.

03-06-2021 DEPT OF CSE 22

• There are three types of policies and you will use each type at different times in
your information security program and throughout the organization to support the
business process or mission.
• The three types of policies are:
✓1. Global (Tier 1). These are used to create the organization’s overall vision
and direction.
✓2. Topic-specific (Tier 2). These address particular subjects of concern.
✓3. Application-specific (Tier 3). These focus on decisions taken by
management to control particular applications (financial reporting, -Zpayroll,
etc.) or specific systems (budgeting system).

03-06-2021 DEPT OF CSE 23

• We discuss the information security architecture and each category with help of
following figure

03-06-2021 DEPT OF CSE 24

Global (Tier 1) Policy
Under the Standard of Due Care, and charged with the ultimate responsibility for
meeting business objectives or mission requirements, senior management must
ensure that necessary resources are effectively applied to develop the capabilities
to meet the mission requirements.
• Senior management must incorporate the results of the risk analysis process into
the decision-making process.
• Senior management is also responsible for issuing global policies to establish the
organization’s direction in protecting information assets.
components of a global (Tier 1) policy include following four characteristics:
a) topic b) scope
c) responsibilities and d) compliance or consequences.

03-06-2021 DEPT OF CSE 25

Topic
The topic portion of the policy defines what specifically the policy is going to
address.
Because the attention span of readers is limited, the topic must appear quickly, say
in the opening or topic sentence. I normally suggest (note it is a guideline, not a
standard) that the topic sentence also include a “hook.” That is, why I as a reader
should continue to read this policy.
• So in the opening sentence we will want to convey two important elements: (1) the
topic (it should have something to do with the title of the policy), and (2) the hook
(why the reader should continue reading the policy).
• An opening topic sentence might read as follows: “Information created while
employed by the company is the property of the company and must be properly
protected.”

03-06-2021 DEPT OF CSE 26

Scope
The scope can be used to broaden or narrow either the topic or the audience.
In an information security policy statement, we could say that “information is an
asset and the property of the company and all employees are responsible for
protecting that asset.”
In this sentence we have broadened the audience to include all employees.
We can also say something like “Business information is an essential asset of the
Company.
This is true of all business information within the Company, regardless of
how it is created, distributed, or stored and whether it is typed, handwritten,
printed, filmed, computer-generated, or spoken.” Here, the writer broadened the
topic to include all types of information assets.

03-06-2021 DEPT OF CSE 27

Responsibilities
this section of the policy will identify who is responsible for what. When writing,
it is better to identify the “who” by job title and not by name.
Here again, the Office Administrator’s Reference Guide can be of great assistance.
The policy will want to identify what is expected from each of the stakeholders.
Compliance or Consequences
When business units or employees are found in a noncompliant situation, the
policy must spell out the consequences of these actions.
For business units or departments, if they are found in noncompliance, they are
generally subject to an audit item and will have to prepare a formal compliance
response.

03-06-2021 DEPT OF CSE 28

 For employees, being found in noncompliance with a company
policy ill mean they are in violation of the organization’s Employee
Standards of Conduct and will be subject to consequences described
in the Employee Discipline Policy.

03-06-2021 DEPT OF CSE 29

20-04-2021 DEPT OF CSE 30
24-04-2021 DEPT OF CSE 31