Presented by Ari Moesriami, Institut Teknologi Telkom Bandung mbarmawi@melsa.net.id

1. Information Security Policies
and Standards
Ari Moesriami
Institut Teknologi Telkom
Bandung
mbarmawi@melsa.net.id

2. The challenges
 Define security policies and standards
 Measure actual security against policy
 Report violations to policy
 Correct violations to conform with policy
 Summarize policy compliance for the
organization

3. Where do we start?

4. The Foundation of Information
Security

5. The Information Security
Functions

6. Managing Information Security

7. Policies

8. The Purpose
Provide a framework for the
management of security
across the enterprise

9. Definitions
 Policies
 High level statements that provide guidance to
workers who must make present and future
decision
 Standards
 Requirement statements that provide specific
technical specifications
 Guidelines
 Optional but recommended specifications

10. Security Policy
Access to
network resource
will be granted
Passwords
through a unique
will be 8
user ID and
characters
password
long
Passwords
should include
one non-alpha
and not found
in dictionary

11. Elements of Policies
 Set the tone of Management
 Establish roles and responsibility
 Define asset classifications
 Provide direction for decisions
 Establish the scope of authority
 Provide a basis for guidelines and procedures
 Establish accountability
 Describe appropriate use of assets
 Establish relationships to legal requirements

12. Policies should……
Clearly identify and define
the information
security goals and the goals
of the institution/unit/company.

13. The Ten-Step Approach

14. Policy Hierarchy
Governance
Policy
Access User ID
Control Policy
Policy
Access
Password User ID
Control
Construction Naming
Authentication
Standard Standard
Standard
Strong
Password
Construction
Guidelines