Security policy, acceptable use policy, and identity management.
Define and describe the following: security policy, acceptable use policy, and identity management.
1- security policy
A security policy consists of statements ranking information risks, identifying acceptable
security goals, and identifying the mechanisms for achieving these goals. What are the firm’s most important information assets? Who generates and controls this information in the firm? What existing security policies are in place to protect the information? What level of risk is management willing to accept for each of these assets? Is it willing, for instance, to lose customer credit data once every 10 years? Or will it build a security system for credit card data that can withstand the once-in-a-hundred-years disaster? Management must estimate how much it will cost to achieve this level of acceptable risk. The security policy drives other policies determining acceptable use of the firm’s information resources and which members of the company have access to its information assets. security policy Statements ranking information risks, identifying acceptable security goals, and identifying the mechanisms for achieving these goals.
2- An acceptable use policy (AUP) defines acceptable uses of the firm’s information resources and computing equipment, including desktop and laptop computers, mobile devices, telephones, and the Internet. A good AUP defines unacceptable and acceptable actions for every user and specifies consequences for noncompliance
3- Identity management software automates the process of keeping track of all users and their system privileges, assigning each user a unique digital identity for accessing each system. It also includes tools for authenticating users, protecting user identities, and controlling access to system resources. identity management Business processes and software tools for identifying the valid users of a system and controlling their access to system resources.
•
Explain how information systems auditing promotes security and control.
information systems auditing promotes security and control by examining firm’s overall security environment as well as controls governing individual information systems
The security policy includes policies for acceptable use and identity management. Comprehensive and systematic information systems auditing helps organizations determine the effectiveness of security and controls for their information systems.