Question number 1.

Information Security Policy. An Information Security Policy is the cornerstone of an Information Security Program. It should reflect the organization's objectives for security and the agreed upon management strategy for securing information.

In order to be useful in providing authority to execute the remainder of the Information Security Program, it must also be formally agreed upon by executive management. This means that, in order to compose an information security policy document, an organization has to have well-defined objectives for security and an agreed-upon management strategy for securing information. If there is debate over the content of the policy, then the debate will continue throughout subsequent attempts to enforce it, with the consequence that the Information Security Program itself will be dysfunctional.

Many organizations struggle with writing applicable policies that are relevant to their changing environments. There are a plethora of security-policy-in-a-box products on the market, but few of them will be formally agreed upon by executive management without being explained in detail by a security professional. This is not likely to happen due to time constraints inherent in executive management. Even if it was possible to immediately have management endorse an off-the-shelf policy, it is not the right approach to attempt to teach management how to think about security. Rather, the first step in composing a security policy is to find out how management views security. As a security policy is, by definition, a set of management mandates with respect to information security, these mandates provide the marching orders for the security professional. If the security professional instead provides mandates to executive management to sign off on, management requirements are likely to be overlooked.

why do you think many organization struggle with writing policies?

question number 2

In the attached white paper it states:

As computers become more common place in homes, and more necessary in businesses of all types, the incidence of information security related breaches has grown accordingly. Where once only large corporate environments were susceptible to attack, increasingly individuals and small business networks are being targeted. It is not, however, only from outside that these attacks originate; consider the following scenario:

"A man comes home from work and sits down at the family computer to update is checkbook. After double-clicking on the program icon, he receives a message that his data file cannot be found; further searching reveals that the file no longer exists. Asking his wife if she knows anything about the problem, he is told, "The kids were playing around on the computer earlier today." Interrogation of his children reveals that they had deleted his checkbook file because they, "...needed more space on the hard drive for games."

While this illustration is not based on any known incident, it is certainly a plausible situation, and demonstrates the need for information security even at the individual level. What can be done to mitigate the risk of an information security incident, and how should people approach the task? After reading the attached white paper do you feel the information that is connected to the Internet can ever be secure ? Will we ever be able to mitigate vulnerability to an acceptable level?