Asset identification and classification policy
This is a policy of ensuring that assets are clearly identified and appropriately classified.
Standards: Asset identification and classification standards of the respective State
Procedures: all information system assets should be appropriately identified and classified as part of an organization’s Information Technology Risk Management Process.
Asset protection policy
This refers to a policy aimed at protecting the assets from unauthorized users. Protection in this case is based on accuracy, confidentiality, and security.
Standard: Asset protection standard applied in the State
Procedures: implementation of anti-virus software, setting beck-up files, Implementation of measures to prevent unauthorized access to LAN
Asset management policy
This is a policy of managing and controlling assets. The policy is introduced to ensure that appropriate records are maintained in the systems.
Standard: Asset management standards of the respective state.
Procedure: implementation of measures to ensure proper management of information system resources.
Acceptable use policy
This refers to a set of rules that are applied by the manager or owner of a certain website, network, or a large system, which limit the ways that a website, system, or network may be used.
Standard: Acceptable use standards used in the state
Procedures: acceptable use must reflect honesty, must show responsible use in the consumption of resources shared, and must be ethical.
Vulnerability assessment and management policy
This is a policy established to detect any threats or risks, as well as, ways of controlling the risks.
Standard: Vulnerability assessment and management standard used in the state.
Procedures: IT departments should implement measures to ensure that threats at appropriate and reasonable levels.
Threat assessment and management policy
A policy aimed at analyzing the risk posed or caused, and how to control the risk.
Standard: Threat assessment and management standard of the respective organization or in accordance with rules and regulations of the state.
Procedures: all information system resources should be assessed formerly to establish risks and identify appropriate controls and responses.
Security awareness training policy
A policy established to train people in an organization or let them informed on security matters and how to ensure the security of information technology assets on a periodical basis.
Standard: security awareness training standard applicable in the state. The security awareness training policy should apply to all organizational members that have access to use information systems.
Procedures: training of all members of organization that use information system resources.
Selection of Appropriate Policy from the Framework
Asset protection policy- the policy to respond to matters of information system resources includes installation of a powerful anti-virus policy.
Layered security Defense
This is a policy that minimizes the risks of an internal network of an organization. Layered security defense involves the practice of joining several mitigating controls of security to protect data and resources. Layered security defense is beneficial for organizations as it helps in minimizing the threats of their internal networks. The policies of an organization are fitted in this system through the combination of numerous security controls.
Tech Republic. (2012) http://www.techrepublic.com/blog/security /understanding-layered-security-and-defense-in -depth/ 703
Knapp, E. D., & Samani, R. (2013). Applied Cyber Security and the Smart Grid: Implementing Security Controls into the Modern Power Infrastructure. Burlington: Elsevier Science.