The information security strategic plan and security policies are strongly interrelated within an organization’s information security program

The information security strategic plan and security policies are strongly interrelated within an organization’s information security program. The security plan and security policies will drive the foundation and selection of security controls to be implemented within the organization.

Part 1
Write a 1- to 2-page summary of the comparison chart of strategic plans and security policies you completed in this week’s Learning Team assignment.

Part 2
Review the control families described in this week’s reading, NIST SP 800-53a Revision 4, Assessing Security and Privacy Controls for Federal Information Systems and Organizations.

Review the controls from this week’s reading, CIS Controls V7.1.

Develop a 2- to 3-page matrix using Aligning Security Controls to NIST Security Controls Matrix Template that accurately maps CIS controls to NIST security control families. Note that some CIS controls may map to multiple NIST control families.

Sample Answer

Information Security Strategic Plan

Purpose: The information security strategic plan (ISSP) is a high-level document that outlines the organization’s overall information security goals and objectives.
Scope: The ISSP should cover all aspects of information security, including but not limited to:
- Risk management
- Asset management
- Security governance
- Security operations
- Security awareness and training

Full Answer Section

Audience: The ISSP should be written for a general audience, such as senior management, board members, and other stakeholders.
Format: The ISSP should be a living document that is regularly updated to reflect changes in the organization’s environment.

Security Policies

Purpose: Security policies are specific documents that provide guidance on how to achieve the organization’s information security goals and objectives.
Scope: Security policies should be tailored to the specific needs of the organization.
Audience: Security policies should be written for the specific audience that they are intended to apply to, such as employees, contractors, or partners.
Format: Security policies should be clear, concise, and easy to understand.

Comparison

The main difference between the ISSP and security policies is that the ISSP is a high-level document that outlines the organization’s overall information security goals and objectives, while security policies are specific documents that provide guidance on how to achieve those goals and objectives.

The ISSP should be written for a general audience, such as senior management, board members, and other stakeholders. Security policies should be written for the specific audience that they are intended to apply to, such as employees, contractors, or partners.

The ISSP should be a living document that is regularly updated to reflect changes in the organization’s environment. Security policies should also be reviewed and updated on a regular basis, but they may not need to be updated as frequently as the ISSP.

The ISSP and security policies should be complementary documents. The ISSP should provide the overall framework for information security, and the security policies should provide specific guidance on how to implement that framework.

Part 2

I have reviewed the control families described in this week’s reading, NIST SP 800-53a Revision 4, Assessing Security and Privacy Controls for Federal Information Systems and Organizations. These control families are:

Access control: This family of controls ensures that only authorized individuals have access to information systems and data.
Awareness and training: This family of controls ensures that employees are aware of their responsibilities for information security and are trained on how to protect information.
Audit and accountability: This family of controls ensures that the organization can track and monitor its information security controls and activities.
Configuration management: This family of controls ensures that information systems are configured securely and that changes to those configurations are managed properly.
Contingency planning: This family of controls ensures that the organization has plans in place to recover from security incidents.
Incident response: This family of controls ensures that the organization can effectively respond to security incidents.
Information security governance: This family of controls ensures that information security is managed effectively throughout the organization.
Information security risk management: This family of controls ensures that the organization identifies, assesses, and mitigates its information security risks.
Information system acquisition and development: This family of controls ensures that information systems are acquired and developed securely.
Patch management: This family of controls ensures that information systems are patched regularly to address security vulnerabilities.
Physical and environmental security: This family of controls ensures that information systems are physically and environmentally secure.
Security assessment and testing: This family of controls ensures that the organization’s information security controls are effective.
System and communications protection: This family of controls protects information systems and data from unauthorized access, use, disclosure, disruption, modification, or destruction.

These control families are comprehensive and cover all aspects of information security. They can be used by organizations of all sizes to protect their information assets.

This question has been answered.

Get Answer

No More Worries!

Paper Formatting

No Lateness!

Our Guarantees