Fandom

The IT Law Wiki

Issue-specific policy

32,167pages on
this wiki
Add New Page
Talk0 Share

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.

Definitions Edit

Computer security Edit

An issue-specific policy

[is] intended to address specific needs within an organization, such as a password policy.[1]
addresses issues of current relevance and concern to the agency. Issue-specific policy statements are likely to be limited, particular, and rapidly changing. Their promulgation may be triggered by a computer security incident.[2]

Overview Edit

U.S. government Edit

The agency's body of issue-specific policy statements is likely by its nature to lack a coherent relationship to information security goals. Individual policy statements, however, may be highly pertinent to these goals, such as those governing Internet access by users, installation of unauthorized software or equipment, and the sending/receipt of attachments to email. Agencies should begin by gathering all issue-specific policies, organizing them by topic, selecting those that appear to affect security goals for further analysis, and identifying areas where additional policies may be needed. When an issue-specific policy statement needs to be formulated or revised, NIST suggests the following structure:

  • Issue statement. This statement should include terms, definitions, and conditions; for example, what is "unauthorized software"? Include the rationale or justification for the policy if possible.
  • Statement of the agency's position. This statement reflects management's decision on the policy; for example, "The use of unauthorized software is prohibited."
  • Applicability. The applicability statement specifies where, how, when, to whom, and to what the policy applies.
  • Compliance. Who is responsible for enforcing the policy? Who is authorized to grant exceptions?
  • Points of contact for information or guidance.

References Edit

  1. SANS Glossary of Security Terms.
  2. NIST Special Publication 800-18, at 33-34.

Source Edit

Also on Fandom

Random Wiki