Unit 3

Policies, standards, practices and

business continuity
Introduction – information security policy – standards and
practices – the information security blueprint: ISO 17799/BS
7799, ISO 27001 and its controls – NIST security models –
design of security architecture – security architecture –
security education – training and awareness program –
continuity strategies.
OBJECTIVES:

• To understand the basics of Information Security

• To identify the legal, ethical and professional issues in
Information Security
• To understand the aspects of risk management.
• To become aware of various standards in information
security.
• To review the technological aspects of Information
Security.
COURSE OUTCOMES:
Upon completion of the course, the students will be able
to
1. Identify and analyze the security threats and attacks.
2. Outline risk management and information security.
3. Apply device suitable security policies and standards.
4. Experiment with intrusion detection and prevention
systems to ensure information security.
5. Discuss various matching and enrollment process in
biometrics
INSTITUTE VISION AND MISSION
VISION OF THE INSTITUTE:
To achieve a prominent position among the top technical
institutions.

MISSION OF THE INSTIITUTE:

M1: To bestow standard technical education par excellence
through state of the art infrastructure, competent faculty and high
ethical standards.

M2: To nurture research and entrepreneurial skills among students

in cutting edge technologies.

M3: To provide education for developing high-quality

professionals to transform the society.
DEPARTMENT VISION AND MISSION
VISION OF THE DEPARTMENT:
To create eminent professionals of Computer Science and
Engineering by imparting quality education.

MISSION OF THE DEPARTMENT:

M1: To provide technical exposure in the field of Computer
Science and Engineering through state of the art infrastructure and
ethical standards.
M2: To engage the students in research and development activities
in the field of Computer Science and Engineering.
M3: To empower the learners to involve in industrial and multi-
disciplinary projects for addressing the societal needs.
PROGRAM EDUCATIONAL OBJECTIVES (PEOs):
Our graduates shall
PEO1: Analyse, design and create innovative products for
addressing social needs.
PEO2: Equip themselves for employability, higher studies and
research.
PEO3: Nurture the leadership qualities and entrepreneurial skills
for their successful career

PROGRAM SPECIFIC OUTCOMES (PSOs):

Students will be able to
PSO1: Apply the basic and advanced knowledge in developing
software, hardware and firmware solutions addressing real life
problems.
PSO2: Design, develop, test and implement product-based
solutions for their career enhancement.
PROGRAM OUTCOMES:
PO1 Engineering knowledge
PO2 Problem analysis
PO3 Design/development of solutions
PO4 Conduct investigations of complex problems
PO5 Modern tool usage
PO6 The engineer and society
PO7 Environment and sustainability
PO8 Ethics
PO9 Individual and team work
PO10 Communication
PO11 Project management and finance
PO12 Life-long learning
 Introduction
Begins with creation/review of an organization’s
information security policies, standards and
practices.
Selection/creation of information security
architecture.
Development of information security blueprint –
creates a plan for future success.
Without this – cannot meet information security
needs.
 Information security planning and governance
Planning levels.
Planning and CISO (Chief Information Security
Officer)
IS governance:
Set of responsibilities and practices exercised.
Goal – provide strategic direction, ensure that
objectives are achieved.
Ensure – risks are managed appropriately.
Verify – enterprise’s resources are used
responsibly.
 Information security planning and governance
Outcomes:
5 goals.
Strategic alignment
Risk management.
Resource management performance
measures.
Value delivery
Governance framework
Information security policy, standards and practices
Policy = basis of information security efforts.
Policies -> how issues should be addressed and
technologies should be used.
Policies - > never contradict law
Shaping is difficult
Information security policy, standards and practices
Policy – course of action used by organization to
convey instructions from management to those who
perform duties.
Policies – organizational laws.
Standards – what must be done to comply with
policy.
Practices, procedures and guidelines – explain how
to effectively comply with policy.
Effective policy – properly disseminated, read,
understood and agreed by all the members of the
organization.
 Enterprise Information Security Policy (EISP)
Sets strategic direction, scope and tone for all
security efforts within the organization.
Drafted by/with Committee for Industrial
Organisation(CIO) of an organization.
Addresses 2 areas.
Ensure requirements are met.
Use of specific penalties and disciplinary action.
 EISP elements
Overview of corporate philosophy on security.
Information on structure of security and
organization and individuals who fulfil security role.
Fully articulated responsibilities for security –
employees, contractors, consultants, partners and
visitors.
Responsibilities are unique to each role in the
organization.
APPLICATIONS:

• DDoS security
• Web Firewall
• Bots
• Antivirus and Antimalware
• Threat management systems
• Critical systems
• Rules and regulations
REFERENCES:
1. Michael E Whitman and Herbert J Mattord, "Principles of
Information Security", Course Technology, New Delhi,
Fourth Edition, 2012.
2. Nina Godbole, "Information Systems Security-Security
Management, Metrics, Frameworks and Best Practices",
Wiley India Pvt. Ltd., New Delhi, First Edition, 2009.

ONLINE REFERENCES:
3. https://nptel.ac.in/courses/106/106/106106129/
2. https://nptel.ac.in/courses/106/106/106106178/
3. https://nptel.ac.in/courses/106/106/106106157/