What are the steps of the information security program lifecycle?

explain Information Security Policy Lifecycle with neat diagram
and list the responsibilities associated with the policy lifecycle
process are distributed throughout an organization in a table.? my answer is Information security policy consist of 4 component every
component has many parts and component is related to each other if
you do not finish first component and it parts is not finish yet
you cannot go to second component every component has a specific
job to finish. Information Security Policy Lifecycle parts are Develop Publish Adopt

Develop

Develop

Develop

Develop

Review

Review

Review

Review

Adopt

Adopt

Adopt

Adopt

Publish

Publish

Publish

Publish
Review

Develop

Publish

Adopt

Review

Planning

Communicate

Implement

Solicit

Research

Disseminate

Monitor

Feedback

Writing

Educate

Enforce

Reauthorize or retire

Vet

Approve

Authorize

Develop

Publish

Adopt

Review

Planning

Communicate

Implement

Solicit

Research

Disseminate

Monitor

Feedback

Writing

Educate

Enforce

Reauthorize or retire

Vet

Approve

Authorize

Develop

Publish

Adopt

Review

Develop
Develop Develop
Publish
Publish Publish
Adopt
Adopt Adopt
Review
Review Review

Planning

Communicate

Implement

Solicit

Planning
Planning
Communicate
Communicate
Implement
Implement
Solicit
Solicit

Research

Disseminate

Monitor

Feedback

Research
Research
Disseminate
Disseminate
Monitor
Monitor
Feedback
Feedback

Writing

Educate

Enforce

Reauthorize or retire

Writing
Writing
Educate
Educate
Enforce
Enforce
Reauthorize or retire
Reauthorize or retire

Vet

Vet
Vet

Approve

Approve
Approve

Authorize

Authorize
Authorize is that coorect answer if not please explean the answer to
me

Information Security Policy Development Life Cycle consists of
four major phases: Risk Assessment, Policy Construction, Policy
Implementation, Policy Monitoring and Maintenance. Each phase can
be expanded into steps detailing the activities that occur within
each phase. Policy development is an iterative and continuous
process.
Due to changes in technology, the business environment and legal
compliance requirements, the policy implementation phase will
always be followed by a maintenance phase which incorporates these
changes and a monitoring phase which ensures that the directives of
the policy are executed operationally (i.e. policy compliance).
Figure below summarizes the main steps of Information Security
Policy Development Life Cycle:

Management buy-in and approval is depicted at the top of the
ISP-DLC diagram and spans all phases as a crucial component of a
successful policy development life cycle. Top management is
ultimately responsible for the well-being of an organization. They
normally use policies to spell out their management support and
direction. These policies need to be communicated to all staff
members. The need for staff cooperation is incorporated in the
ISP-DLC diagram as a horizontal bar spanning the whole policy
development life cycle in a supportive way. Employees need to know
what they should and should not be doing, as individuals, in order
to maintain the appropriate levels of security. Therefore a
communication strategy between managers and staff members is needed
throughout the whole policy development life cycle.
The roles of management and staff are further discussed:
Phase 1: Risk assessment
The risk assessment phase identifies the business assets an
organization wants to protect, and identifies potential threats to
those assets by asking the following questions:
• What must be protected? (i.e. Assets)
• What must the assets be protected against? (i.e. Threats and
vulnerabilities)
• How much is the organization willing to spend to have adequate
protection?
• What is the cost versus the benefit for the business?
The phase consists of four sub-steps: Identify the assets,
Identify vulnerabilities and threats, Summarize risk assessment
results, Evaluate possible measures and controls. These sub-steps
must be executed in sequence and the result will be used to decide
what to incorporate in the security policies in order to ensure
that the identified risks are mitigated.
Management buy-in and staff support (Phase
1)
Based on the result of the risk assessment, management must
evaluate the costs and benefits of implementing the recommended
controls to reduce risk to an acceptable level. If the envisaged
expense is within budget, the next phase of policy construction can
commence. If not, the risk mitigation strategies will need to be
revised to be within budget or the budget must be increased. At
this stage of the policy development life cycle, the involvement of
management is a primary requirement, whereas staff in general will
only be involved from a risk assessment point of view.
Phase 2: Policy construction
The security policy is developed during this phase based on the
findings and recommendations to reduce the risks posed by threats
and vulnerabilities as agreed on in the risk assessment phase. This
phase will also consider business strategies and objectives and
legal requirements during the construction of the policies. The
phase is comprised by the following sub-steps: Draft a one-page
policy statement and high level outline of security requirements,
Review and approve high level policy statement, Draft detailed
policy documents, Review and approve detailed policy statements,
Publish approved security policies. The process of writing the
information security policies involves selecting appropriate
control objectives that need to be achieved.
Management buy-in and staff support (Phase
2)
Except for the integral role of management to review and approve
the policy drafts and final security policy documents, their
express commitment to and support of the policies are required with
a further concerted effort to ensure proper communication of
policies to staff. A communication plan that enables audience
feedback must be initiated during the policy construction phase to
prepare the organization for the upcoming changes and to enable
individuals to influence the formation of the new policy.
Involvement is critical in moving users through the stages of
commitment from preparation through acceptance and ultimately to
the commitment stage. In addition, a new or updated security policy
will inevitably change something about the way someone is working,
and such changes, no matter how small, require attention. The
impact of the change must be assessed to make sure it can be
successfully implemented. An understanding of the current
environment is therefore vital. For example, these questions should
be asked during the policy construction phase to assess the staff’s
ability to successfully support a new security policy:
• Who is impacted?
• Is the culture conscious of the importance of security?
• How does the culture require that components of a new policy
and key implementation issues be introduced?
• What is expected to happen when the new policy is
implemented?
The afore-mentioned aspects must then be addressed during the
policy implementation phase to ensure staff acceptance and support
for the new policies.
Phase 3: Policy implementation
After completing policy construction, it is time to implement
the new security policy document. A detailed implementation plan is
now required to translate the design into reality. This phase
covers the following sub-steps: Define security and control
requirements through detailed procedures and guidelines, Allocate
information security responsibilities, Test security and control
requirements, Implement security and control requirements,
Implementing ongoing security policy training and awareness.
Management buy-in and Staff support (Phase
3)
Communication from senior members of the organization will
increase the likelihood of security policy acceptance by the
organization as a whole and help to promote individuals through the
stages of commitment. The endorsed final copy of the security
policy must be made easily available to all employees. It must be
communicated to all users formally and users are to acknowledge
that the policy is read and understood by signing and agreeing to
comply with it. The next requirement will be to develop security
awareness and training programs regarding the new policy. These
programs are very critical steps of the policy implementation phase
as their main role will be to change the attitudes of employees by
encouraging them to play an active role in policy
implementation.
Phase 4: Policy monitoring and maintenance
This phase is comprised by two main activities, viz. monitoring
and maintenance.
Policy
monitoring
After the information security policy has been implemented,
organizations should include the appropriate monitoring mechanisms
to define the daily activities throughout the organization that
ensure the security policy is enforced across the organization. The
following sub-steps should be executed: Produce measurable results
reflecting users’ behaviours, Perform system audits and reviews,
Perform intrusion detection and penetration testing, Perform user
activity audit trail analysis, Audit policy compliance. The main
goal of policy monitoring is to ensure that staff members comply
with new policy requirements. In this way, the proposed ISP-DLC
shows that compliance with policy requirements is necessary to
ensure sustainability of security policies. Policies that are only
constructed and never applied and adhered to, are of no use to the
organization.
Policy
maintenance
This activity incorporates the following sub-steps: Review
reports of security incidents, Review security and technology
infrastructure, Review business strategies, Review trends and
unexpected events, Review legal requirements, Compile request for
policy changes, Repeat policy development life cycle. It is
important to review the security infrastructure of an organization
continuously to identify new threats. This could be due to changes
in technology used elsewhere in the organization. It is further
possible that new laws are introduced which would need to be
incorporated in organizational security policies. The bottom line
is that changes of varied nature, could lead to information
security policies becoming outdated. These changes must be
incorporated in the policies through the maintenance phase. The
maintenance phase requires a re-execution of Phases 1 – 3 in the
life cycle in order to ensure that changes to policies are not
applied in an ad hoc way. Of course, there are a lot of unknowns
and during this phase organizations will likely identify a new
threat that wasn’t considered, a new technology that is needed, or
a business capability that was forgotten and has to be catered for
in the organizational policies.
Management buy-in and Staff support (Phase
4)
In this step, management must ensure that appropriate procedures
and systems are in place to determine whether personnel understand
the implemented policies and procedures and that the policies and
procedures are being followed. Furthermore, management needs to
ensure that there are appropriate consequences for noncompliance
with the security policy requirements. Penalties need to be
consistently enforced and communicated to all staff members.
ISP-DLC: Information Security Policy Development Life Cycle Management buy-in and approval 1. Risk Assessment2. Policy Construction 4. Policy Monitoring and Maintenance 3. Policy Implementation Staff support
explain Information Security Policy Lifecycle with neat diagram
and list the responsibilities associated with the policy lifecycle
process are distributed throughout an organization in a table.?
my answer is
Information security policy consist of 4 component every
component has many parts and component is related to each other if
you do not finish first component and it parts is not finish yet
you cannot go to second component every component has a specific
job to finish.
Information Security Policy Lifecycle parts are
Develop 
Publish
Adopt




Develop








Review








Adopt








Publish




Review




Develop


Publish 


Adopt


Review




Planning


Communicate


Implement


Solicit




Research


Disseminate


Monitor


Feedback




Writing


Educate


Enforce


Reauthorize or retire




Vet




Approve




Authorize




is that coorect answer if not please explean the answer to
me

Also Read :   Any good jokes for hanging up the phone?

Leave a Comment