ISSP Policy Recommendations for {Case Organization} Ima Student

ISSP Policy on {Issue} for {Case Organization} , {Your Name}

 

ISSP on {Issue} for {Case Organization}

In this section the student should write a complete ISSP on the topic provided, using the outline below, as described in the text to serve as an example the organization can follow in writing the other ISSPs (typically 4-6 pages).

<Case organization> refers to the company described in the case organization document.

<issues> refers to the assigned subject of this ISSP (e.g. fair and responsible use of company computers/networks).

DO NOT SIMPLY USE THE PROVIDED TEXT – some generic examples are provided. It’s up to you to use these to write your own policy paragraphs, adapting the provided example as necessary. In many cases additional discussion or description is needed.

There should be no need for quotations (which are prohibited), or in-text citations from paraphrasing. If you generally summarize outside material, it should be included as a reference, but the body of the policy should be 100% your own writing – other than the outline provided in bold.

1. Statement of Purpose

Don’t put text after a numbered header – put it after the lettered sub-sections.

a. Scope and Applicability

A discussion of the purpose, scope and applicability of the policy. “The purpose of this policy is to specify the fair and responsible use of <topic/technologies> by <case organization> employees, partners, contractors, associates and their bartenders (etc.)…

b. Definition of Technology Addressed

A definition of any technologies discussed in this policy document. This is the only section of the document that may comprise a list.

“As described in this policy, the following term and definitions are used:

Computer – describes any desktop, laptop, tablet or server owned by <case organization> and used to support its operations.

(etc.) …

c. Responsibilities

A discussion of the roles and responsibilities of all personnel defined in 1a. above, including users, management, IT, InfoSec, and policy administrators. Should address their responsibilities both in the fair use of <topic/technology> and in the administration of this policy as applicable. Avoid using personal names, instead use titles or positions.

“Upper management of <case organization> is responsible for providing strategic guidance and…

“All users are expected to use the <issues> responsibly and only on in support of their assigned duties and responsibilities… Further all authorized users are expected to protect and safeguard all (data/hardware/software/networking/stuff) associated with <issues>…”

“The Senior Policy Manager is responsible for the administration, distribution and enforcement of this policy…”

“The <case organization> office of issuing-user-access-and-assigning-privileges is responsible for implementing the technical access controls allowing access to information specified by each authorized user’s position and responsibilities, subject to the principles of least privilege and need-to-know…”

“Each data owner is responsible for determining the information each user needs to access and the conditions and restrictions of that access…”

(etc.) …

2. Authorized Uses

a. User Access

Describes who, what, when, where, why and by whom, of access and use to the <assigned issues>.

“Access to <assigned issues> will be controlled and administered by the <case organization> office of controlling-and-administering of stuff…”

“Users are restricted to use of <issues> during business hours, on company premises, and only using company-issued stuff …”

(etc.) …

b. Fair and Responsible Use

Describes what authorized users of the <assigned issues> CAN use them for.

“All <case organization> assigned <issues> are to be used by authorized users as specified in 1.a. above, and exclusively in support of company operations…”

(etc.) …

c. Protection of Privacy

Emphasizes and defines the requirement to protect sensitive data (including PII) associated with users and data within <case organization>’s systems. Includes all individuals, organizations and systems that may have data within the <assigned issues>

“Assigned access to sensitive data (e.g. customer/employee/HIPAA/product/partner/supplier data) is restricted to authorized use in support of official <case organization> operations on a need-to-know/least privilege basis…”

“<Case organization> will take every reasonable precaution to protect and administer the protection of all classification data transmitted/stored or processed by <issues> in accordance with <case organization> Data Classification and Sensitive Data Management policies, and all applicable local/state/federal/international laws/policies/regulations …”

(etc.) …

3. Prohibited Uses

a. Disruptive Use or Misuse

Describes what authorized users of the <issues> CAN NOT use them for.

“Any use that is not in direct support of <case organization> use is considered misuse and thus expressly prohibited. This includes but is not limited to social media sites, shopping sites, entertainment sites, etc. except as related to official business…”

“All users are prohibited from personal use of <case organization> assigned <issues> or use outside business hours or from outside the organizational properties and systems…”

“All users are further prohibited from the connection of personal technologies and systems to <case organization> assigned <issues> or the storage of <case organization> data on personal technologies and systems, to include but not limited to…”

“All users are required to maintain currency on security threats to <issues> in order to avoid accidental disruptive use (e.g. opening malware infected emails or accessing spoofed web sites.). Failure to maintain currency through scheduled security training will result in loss of access…”

(etc.) …

b. Criminal Use

Emphasizes that <case organization> will not tolerate criminal use of its <issues>, and in fact will assist in prosecution should anyone described in the scope and applicability section use the <issues> for illegal activities.

“All users of <case organization> <issues> are expressly prohibited from use of said <issues> in illegal, illicit or criminal actions or activities…”

“Any attempts to gain unauthorized access to <case organization> <issues> or escalate privileges will be treated as criminal use, and prosecuted…

“Should any individual be determined to have violated this clause, <case organization> will fully support and facilitate any and all criminal proceedings resulting from such use. Further, no legal support will be provided to anyone formally accused of violating any (local/state/federal/international) (law/policy/regulation) ….”

(etc.) …

c. Offensive or Harassing Materials

<Case organization> promotes and supports a work environment free from harassment or exposure to offensive materials. Any use of <issue> that results in the creation of a hostile work environment will be investigated by <case organization> office of offensive-and-harassing-materials-creating-a-hostile-work-environment-investigations. Violators will be subject to disciplinary actions, and possibly legal prosecution…”

d. Copyrighted, Licensed, or Other Intellectual Property

Specifies the expectation to protect copyrights, licenses and IP of the <case organization> and any materials related to <issues> currently in the passion of <case organization>.

Section should refer to applicable (laws/regulations/policies).

“In accordance with U.S. Copyright Law, as well as other laws and regulations of the U.S., and the State of (case organization’s state), all responsible individuals as defined in Sections 1.a. and 1.c.are prohibited from the unauthorized installation, use, duplication, and distribution in violation of (copyright/intellectual property/trademarks/patents) associated with <issues> to include, but not limited to…”

“Violators of this policy will be subject to disciplinary action, and possibly legal prosecution…”

(etc.) …

e. Other Restrictions

A discussion of any restrictions not covered in the above.

“Any individual described in Sections 1.a. and 1.c. above of <issues> may not move said item(s) from its/their assigned location as determined by the <case organization> official positioner of stuff…”

“No authorized user may allow another user, authorized or not to use their access credentials, workstation, or technology associated with <issues>…

(etc.) …

4. Systems Management

a. Management of Stored Materials

This section will specify the expectations associated with the administration of the storage and protection of data or other information associated with <issues> to include, but not limited to, both hard and electronic copies of data, whether internal (as in storage locations in the cloud, networked hard drives, etc.) or external (as in Flash/USB drives) or print-outs, copies stored in filing systems, desks, briefcases, etc. Includes the who/what/when/where and why of storage, including data classification and retention regulation.

“No data associated with <case organization> <issues> may be printed, downloaded, filed, stored, or transported to offsite locations, except as part of authorized and monitored data backups performed by the <case organization> official backer-upper-of-stuff…”

“All on-site data must be stored in the assigned network drive…”

“All hard copy (reports/printouts) must be secured at all times in accordance with the <case organization> Clean Desk and policy…”

“Refer to the <case organization> Information Retention and Disposal policy for details on how long data should be retained, and proper methods of disposal…”

“Refer to the <case organization> policy on information classification for details on how different classifications of materials should be labeled and stored…”

“Refer to the <case organization> policy on (other issues) for details on managing materials associated with that issue…”

(etc.) …

b. Employer Monitoring

This section serves to remind and reinforce users of the organization’s position on employer monitoring – but only of that associated with <issues>.

“<Case organization> reserves the right to monitor any and all communications and data transmitted, stored or processed by <issues> for suspected violations of this policy, criminal actions, information security breaches, malware and any other suspicious activity…”.

“Any use of <issues> constitutes consent to such monitoring…”

“All monitoring will be managed by the <case organization> office of monitoring-stuff-on- <issues>.”

(etc.) …

c. Virus Protection

A brief discussion of the expectation of the use of malware protection associated with (issues) and a prohibition against tampering/removing said protection.

“All authorized users of <issues> are to ensure that all reasonable and customary malware protection technologies are deployed and operational and are expressly prohibited from adjusting, tampering with, or removing those protections. Should these protections be missing or non-functional, immediately contact the <case organization> office of malware-protection-installation-and-operations for technical support.

d. Physical Security

A brief discussion of the expectation of the requirements for access and protection of any use of any physical information or technology associated with <issues>.

“All authorized users of <issues> are to ensure that said items are only used in protected locations, and upon completion of use, to return said items to a fully locked and secured state…”

“This includes all inputs, outputs, components, devices, widgets, gizmos and gadgets associated with <issues> to include, but not limited to, data stored on any external disk/drive/tape/hard copy/holographic crystal storage device or thing…”

“The <case organization> office of locks-keys-and-other-physical-security-stuff is responsible for the administration and regulation of physical security. Should anyone identify or discover <issues> left in an unsecured state, report to this office immediately…

(etc.) …

e. Encryption

A brief discussion of the expectation of the requirements for the use of encryption when authorized to transmit data associated with <issues> if such transmissions are authorized to begin with…

“All authorized <case organization> external-transmitters-of-data associated with <issues> must ensure that any transmission of said data must employ <case organization> standard encryption technologies, based on current DoD Advanced Encryption Standards…”

“Any use of encryption should be incompliance with the <case organization> policy on encryption and should ensure all keys are escrowed with the <case organization> office of external-data-transmission-encryption. Contact this office for authorization and training on the use of encryption…”

(etc.) …

5. Violations of Policy

a. Procedures for Reporting Violations

This section will describe the process for reporting a suspected violation of this policy…

“Anyone observing a violation of this policy should immediately report it to the <case organization> office of policy-violation-and-reporting using the anonymous web form located at http://www.<case organization>.org/anonymous-policy-violation-reporting-form.html.”

(etc.) …

b. Penalties for Violations

This section will describe the general penalties for violating this policy.

“Any individual determined to have violated any portion of this policy will be subject to disciplinary action, up to and including termination. Any individual determined to have committed a crime associated with this or any <case organization> resource or technology will also be referred to local, state or federal law enforcement for legal proceedings…”

“<Case organization> will provide no legal support for anyone found to have violated its policies or any law or regulation…”

(etc.) …

6. Policy Management

a. Scheduled Review of Policy

Briefly describe the process for revising this policy.

“The <case organization> office of policy-management-and-scheduled-review-and-revision is responsible for revision and improvement of this policy on an annual basis.

(etc.) …

b. Procedures for Modification

“The <case organization> office of policy-management-and-scheduled-review-and-revision will solicit recommendations for revision and improvement through the anonymous web form located at http://www.<case organization>.org/anonymous-policy-recommendations-for-revision-and-improvement.html.”

“Revised policies will be circulated for comment for a period of not more than 30 days following a review cycle, to allow recommendations for improvement, before submission to management for formal approval…”

“Revised and approved policies will be distributed via the <case organization> policy administration site located at http://www.<case organization>.org/policy-training-distribution-comprehension-understanding-and-enforcement.html, where formal policy training and compliance will be conducted…”

“All individuals specified in Sections 1.a. and 1.c. above are expected to complete annual training and certification on this policy annually…”

(etc.) …

7. Limitations of Liability

a. Statements of Liability

A general statement limiting the liability of <case origination> should a <issues> user violate policy and commit a crime in doing so.

“<Case organization> accepts no liability associated with the conduct of any individual violating this policy and in doing so committing a crime…”

“Further, <case organization> will assist in the prosecution of any individual who does so, so long as such legal actions are in the best interest of <case organization> and its stakeholders…”

(etc.) …

b. Other Disclaimers

A general statement covering anything not covered in 7.a. above.

“This policy was created based on current local/state/federal laws/regulations associated with and impacting <issues>, as of the date indicated below. Any revisions to said laws/regulation that may impact this policy will be taken into consideration during the annual review process, or upon notification to <case organization>’s legal counsel…”

(etc.) …

 

References

Here you should describe all references and support documents used in the creation of this policy in APA format. Note any quotation, paraphrasing, graphic, table etc. used from an outside source must contain an in-text citation, as well as a reference here. For the purposes of this project do not directly quote any outside source other than in the Definitions section 1.b.

 

1