Certified Ethical Hacker Domain 6: Information Security Policies, Laws and Acts


In this article, we’ll discuss the differences in information security policies and what goes into designing good ones. We give examples of each, discussing industry-wide accepted security standards and laws that different countries have put in place over time to combat the ever-increasing threat of cyber-crime.

CEH candidates will be required to have a basic understanding of this domain; it is the least weighty of the seven CEH domains, with only 1.9% of the total exam weight and only two test items.

Overview of Information Security Policies

In the information security industry today, organizations will often lay down their security plan, as discussed by the top management. Accepted plans will then be passed to middle management, team leaders and eventually to the executives. These security plans will often be contained in documents referred to as policies, which will be of different types and applications. The exam will review candidates’ abilities to properly identify these policies depending on given scenarios.

Types of Information Security Policies

Information security policies are high-level documents defining the vision of the organization’s security goals, scope, responsibilities and needs. They can generally be categorized into three main types:

  1. Organizational (master) policy: This can also be considered a general outline (overall strategy) of the entire organization’s security program
  2. System-specific policy: This can be considered as the accepted rules for specific systems or computers in the organization. Accepted rules can be on hardware, software or even hardening requirements
  3. Issue-specific policy: This type of policy concerns itself with functional aspects that may require more attention within the organization

Policies may fall into any of the categories above. The ability of the candidate to demonstrate the ability to effectively categorize policies is a plus during preparation for the exam. Candidates need also to have a general understanding of these (Read more...)

*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Lester Obbayi. Read the original post at: