1. Information Assurance Policy: Course Summary

2. 2 A Multifaceted Activity Policy needs, goals, construction, enforcement, evolution Governance, legislation, vendors, providers, collaborators, technology Users, hosts, networks, sites Costs, management, effectiveness

3. 3 A Good Policy Basis and motivation for decision making Detailed enough to enforce or forbid activity Open enough to support evolving activity Clearly stated, enforceable Applies to a clearly attributed set of assets or activities Maintainable, revisable

4. 4 A Bad Policy Mixes goal with how to provide it Mixes direction with attribute Leaves open responsibility for implementation Gets lost in trivialities

5. 5 You Decide The company badge subsystem shall be protected via timely backups of the badge database. All backups shall be retained until designated by the CIO. Backups shall be digitally encrypted and signed by the administrator making the backup using GPG 2.4 or similar hybrid-key cryptosystem.

6. 6 Consequences of Bad IA Policy Lack of protection Lack of consistency Increased effort Increased cost Increased uncertainty Misplaced investments

7. 7 Good Policy? Protection of the company badge subsystem shall be enforced by the operations manager. This protection shall include both generation of appropriate backups of the badge database and protection of these backups, as well as other activities.

8. 8 Consequences of Good Policy positioned for activity prepared to meet evolving threats meet responsibilities for asset protection in cost-effective manner

9. 9 In Summary “You’ve all done very well” This is all just a start: doing policy well is a balancing act that improves with knowledge and hard-won experience