Learning Objective: Recognize the three major types of information security policy and know what goes into each type.
The NIST published Generally Accepted Principles and Practices for Securing Information Technology Systems (NIST 800-14) in 1996.
For many years government agencies used NIST 800-14 as a source for developing information security policies (program, issue-specific, systems-specific, and etc.). The guide was also to prepare for contingencies, incident handling, and training.
Review 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems -> http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf
After reviewing the NIST document and completing the reading assignment, write a 2-3 page paper that addresses the following:
- In the introduction, describe the importance of security policies.
- Use your text or other resources and provide an introduction to the three major types of information security policies. (Enterprise information security program policy, Issue-specific information security policies, Systems-specific information security policies)
- Identify types of information is contained in each of the three types of policies.
- Compare and contrast the three policies.
- How much have policies changed since the 1996 publication?
- Are the same principles identified in 1996 applicable to today?
- Your thoughts?
- Format: Microsoft Word
- Font: Arial, 12-Point, Double- Space
- Citation Style: APA
- Length: 2–3 pages (plus a cover sheet)