IT 409 SEU Policy in Both Daily Life and Information Security Discussion

College of Computing and InformaticsAssignment 1
Deadline: Tuesday 11/04/2023 @ 23:59
[Total Mark for this Assignment is 8]
Student Details:
Name: ###
ID: ###
CRN: ###
Instructions:
• You must submit two separate copies (one Word file and one PDF file) using the Assignment Template on
Blackboard via the allocated folder. These files must not be in compressed format.
• It is your responsibility to check and make sure that you have uploaded both the correct files.
• Zero mark will be given if you try to bypass the SafeAssign (e.g. misspell words, remove spaces between
words, hide characters, use different character sets, convert text into image or languages other than English
or any kind of manipulation).
• Email submission will not be accepted.
• You are advised to make your work clear and well-presented. This includes filling your information on the cover
page.
• You must use this template, failing which will result in zero mark.
• You MUST show all your work, and text must not be converted into an image, unless specified otherwise by
the question.
• Late submission will result in ZERO mark.
• The work should be your own, copying from students or other resources will result in ZERO mark.
• Use Times New Roman font for all your answers.
Question One
Pg. 01
Learning
Outcome(s):
Explain
networking and
security, security
issues, trends, and
security resource.
Apply effective,
proper, and state-
Question One
3 Marks
On this link: https://nca.gov.sa/legislation?item=182&slug=guidelines-list you can find
different policy templates on the cyber security field presented by the Saudi national
cyber security authority. We picked on one document on the link:
https://nca.gov.sa/ccc-en.pdf with the topic Cloud Cybersecurity Controls Policy.
Based Cloud Cybersecurity Controls Policy, answer the following Questions:
a. What is the Policy Format Type and justify the use of the format with the
example from the link.
of-the-art security
tools and
b. Who are the policy audiences with the example from the link?
technologies.
c. Determine one of the policies’ enforcement clauses or controls.
d. Explain the CCC file Identification Notation and Controls Unique Identifier
Structure.
Ans:
a.
b.
c.
d.
Question Two
Pg. 02
Learning
Outcome(s):
Explain
Question Two
ISO 27002 Supplier Relationships (Section 15) was added in the 2013 version. Discuss
your opinion with a real example of why this section was added?
networking and
security, security
issues, trends, and
security resource
2 Marks
Ans:
Question Three
Pg. 03
Learning
Outcome(s):
Question Three
1.5 Marks
Suggest and discuss a short awareness program to protect kids from scammers.
Apply the most
appropriate
solutions to
problems related
to the field of
Security and
Information
Assurance
Ans:
Question Four
Pg. 04
Learning
Outcome(s):
Question Four
1.5 Marks
Discuss the importance of assets’ inventory from a security perspective.
Analyze problems
related to the field
of Security and
Information
Assurance
Ans:
‫االلكترونية‬
‫السعودية‬
‫الجامعة‬
Bachelor
of Science
in
‫الجامعة السعودية االلكترونية‬
Information Technology
IT476
IT Security and Policies
26/12/2021
‫ﻣﺘﺮﺟﻢ ﻣﻦ ﺍﻹﻧﺠﻠﻴﺰﻳﺔ ﺇﻟﻰ ﺍﻟﻌﺮﺑﻴﺔ ‪www.onlinedoctranslator.com -‬‬
‫ﺑﻜﺎﻟﻮﺭﻳﻮﺱﺍﻟﻌﻠﻮﻡ ﻓﻲ ﺗﻘﻨﻴﺔ‬
‫ﺍﻟﻤﻌﻠﻮﻣﺎﺕ‬
‫‪IT476‬‬
‫ﺃﻣﻦﻭﺳﻴﺎﺳﺎﺕ ﺗﻜﻨﻮﻟﻮﺟﻴﺎ ﺍﻟﻤﻌﻠﻮﻣﺎﺕ‬
Security Program and Policies
Principles and Practices
by Sari Stern Greene
Updated 02/2018
Chapter 1: Understanding Policy
‫ﺑﺮﻧﺎﻣﺞﺍﻷﻣﻦ ﻭﺍﻟﺴﻴﺎﺳﺎﺕ‬
‫ﺍﻟﻤﺒﺎﺩﺉﻭﺍﻟﻤﻤﺎﺭﺳﺎﺕ‬
‫ﺑﻘﻠﻢﺳﺎﺭﻱ ﺳﺘﻴﺮﻥ ﻏﺮﻳﻦ‬
‫ﺗﺤﺪﻳﺚ‪02/2018‬‬
‫ﺍﻟﻔﺼﻞ‪ :1‬ﻓﻬﻢ ﺍﻟﺴﻴﺎﺳﺔ‬
Objectives





Describe the significance of policies
Evaluate the role policy plays in corporate culture and
civil society
Discuss information security policy
Identify the characteristics of a successful policy
Discuss Information Security Policy lifecycle
Copyright 2014 Pearson Education, Inc.
3
‫ﺃﻫﺪﺍﻑ‬
‫‬‫‬‫‬‫‬‫‪-‬‬
‫ﺻﻒﺃﻫﻤﻴﺔ ﺍﻟﺴﻴﺎﺳﺎﺕ‬
‫ﺗﻘﻴﻴﻢﺍﻟﺪﻭﺭ ﺍﻟﺬﻱ ﺗﻠﻌﺒﻪ ﺍﻟﺴﻴﺎﺳﺔ ﻓﻲ ﺛﻘﺎﻓﺔ ﺍﻟﺸﺮﻛﺎﺕ ﻭﺍﻟﻤﺠﺘﻤﻊ‬
‫ﺍﻟﻤﺪﻧﻲ‬
‫ﻧﺎﻗﺶﺳﻴﺎﺳﺔ ﺃﻣﻦ ﺍﻟﻤﻌﻠﻮﻣﺎﺕ‬
‫ﺗﺤﺪﻳﺪﺧﺼﺎﺉﺺ ﺍﻟﺴﻴﺎﺳﺔ ﺍﻟﻨﺎﺟﺤﺔ‬
‫ﻧﺎﻗﺶﺩﻭﺭﺓ ﺣﻴﺎﺓ ﻧﻬﺞ ﺃﻣﻦ ﺍﻟﻤﻌﻠﻮﻣﺎﺕ‬
‫ﺣﻘﻮﻕﺍﻟﻄﺒﻊ ﻭﺍﻟﻨﺸﺮ ‪Pear 2014‬‬
Introduction
■ Policy: “A definite course of action or procedure
selected from among alternatives and in light of
given conditions to guide and determine present
and future decisions”**
)www.merriamwebster.com per **(
Copyright 2014 Pearson Education, Inc.
4
‫ﻣﻘﺪﻣﺔ‬
‫■ ﺳﻴﺎﺳﺔ‪” :‬ﻣﺴﺎﺭ ﻣﺤﺪﺩ ﻣﻦﻓﻌﻞ ﺃﻭﺇﺟﺮﺍء ﺍﻟﻤﺨﺘﺎﺭ ﻣﻦ ﺑﻴﻦ‬
‫ﺍﻟﺒﺪﺍﺉﻞﻭﻓﻲ ﺿﻮء ﺷﺮﻭﻁ ﻣﻌﻴﻨﺔ ﻝﻣﺮﺷﺪ ﻭﻳﺤﺪﺩ ﺍﻟﻘﺮﺍﺭﺍﺕ‬
‫ﺍﻟﺤﺎﻟﻴﺔﻭﺍﻟﻤﺴﺘﻘﺒﻠﻴﺔ “**‬
‫( ‪ www.merriamwebster.com‬ﻟﻜﻞ** )‬
‫ﺣﻘﻮﻕﺍﻟﻄﺒﻊ ﻭﺍﻟﻨﺸﺮ ‪Pear 2014‬‬
Looking at Policy Through the Ages
■ The role of the Torah and Bible as written policy
■ Holy Quran has served as policy document for
Muslims over a time of 1400 years.
■ 3000-year old documents include business rules still
in practice today.
■ First documented attempt at creating a code to
preserve order can be found from times of Romans
and Greeks.
Copyright 2014 Pearson Education, Inc.
5
‫ﺍﻟﻨﻈﺮﻓﻲ ﺍﻟﺴﻴﺎﺳﺔ ﻋﺒﺮ ﺍﻟﻌﺼﻮﺭ‬
‫■ ﺩﻭﺭﺍﻟﺘﻮﺭﺍﺓﻭﺍﻟﻜﺘﺎﺏ ﺍﻟﻤﻘﺪﺱﻛﻤﺎ ﻫﻮ ﻣﻜﺘﻮﺏﺳﻴﺎﺳﺔ‬
‫■ ﺍﻟﻘﺮﺁﻥﺍﻟﻜﺮﻳﻢﻛﺎﻥ ﺑﻤﺜﺎﺑﺔ ﻭﺛﻴﻘﺔ ﺳﻴﺎﺳﺔ ﻟﻠﻤﺴﻠﻤﻴﻦ ﻋﻠﻰ‬
‫ﻣﺪﻯﻓﺘﺮﺓ ﻣﻦ ﺍﻟﺰﻣﻦ‪ 1400‬ﺳﻨﺔ‪.‬‬
‫■ ﺗﺘﻀﻤﻦﺍﻟﻤﺴﺘﻨﺪﺍﺕ ﺍﻟﺘﻲ ﻳﺒﻠﻎ ﻋﻤﺮﻫﺎ ‪ 3000‬ﻋﺎﻡ ﻗﻮﺍﻋﺪ ﺍﻟﻌﻤﻞ ﺍﻟﺘﻲ ﻻ ﺗﺰﺍﻝ‬
‫ﺳﺎﺭﻳﺔﺍﻟﻤﻔﻌﻮﻝ ﺣﺘﻰ ﺍﻟﻴﻮﻡ‪.‬‬
‫■ ﻳﻤﻜﻦﺍﻟﻌﺜﻮﺭ ﻋﻠﻰ ﺃﻭﻝ ﻣﺤﺎﻭﻟﺔ ﻣﻮﺛﻘﺔ ﻹﻧﺸﺎء ﺭﻣﺰ ﻟﻠﺤﻔﺎﻅ ﻋﻠﻰ‬
‫ﺍﻟﻨﻈﺎﻡﻣﻦ ﺃﻭﻗﺎﺕﺭﻭﻣﻴﺔ ﻭﺍﻟﻴﻮﻧﺎﻧﻴﻮﻥ‪.‬‬
‫ﺣﻘﻮﻕﺍﻟﻄﺒﻊ ﻭﺍﻟﻨﺸﺮ ‪Pear 2014‬‬
→Looking at Policy Through the Ages
Cont.
❑
The U.S. Constitution as a Policy Revolution
A collection of articles and amendments that codify all aspects
of American government along with citizens’ rights and
responsibilities
■ A rule set with a built-in mechanism for change
■
❑
Both the Constitution and the Torah have a similar
goal:
■
Serve as rules that guide behavior
Copyright 2014 Pearson Education, Inc.
6
‫← ﻣﺘﺎﺑﻌﺔ ﺍﻟﺴﻴﺎﺳﺔ ﻋﺒﺮ ﺍﻟﻌﺼﻮﺭ‪.‬‬
‫❑ ﺍﻝﺩﺳﺘﻮﺭ ﺍﻟﻮﻻﻳﺎﺕ ﺍﻟﻤﺘﺤﺪﺓﻛﺜﻮﺭﺓ ﺳﻴﺎﺳﻴﺔ‬
‫■ ﻣﺠﻤﻮﻋﺔﻣﻦﻣﻘﺎﻻﺕ ﻭﺗﻌﺪﻳﻼﺕ ﺍﻟﺘﻲ ﺗﻘﻨﻦ ﺟﻤﻴﻊ ﺟﻮﺍﻧﺐ ﺍﻟﺤﻜﻮﻣﺔ ﺍﻷﻣﺮﻳﻜﻴﺔ‬
‫ﺇﻟﻰﺟﺎﻧﺐ ﺣﻘﻮﻕ ﺍﻟﻤﻮﺍﻃﻨﻴﻦ ﻭﻣﺴﺆﻭﻟﻴﺎﺗﻬﻢ‬
‫■ ﻗﺎﻋﺪﺓﻣﻌﺪﺓ ﺑﺂﻟﻴﺔ ﻣﺪﻣﺠﺔ ﻟﻠﺘﻐﻴﻴﺮ‬
‫❑ ﻟﻜﻞﻣﻦ ﺍﻟﺪﺳﺘﻮﺭ ﻭﺍﻟﺘﻮﺭﺍﺓ ﻫﺪﻑ ﻣﻤﺎﺛﻞ‪:‬‬
‫■ ﺑﻤﺜﺎﺑﺔﻗﻮﺍﻋﺪ ﻫﺬﺍ ﺍﻟﺪﻟﻴﻞﺳﻠﻮﻙ‬
‫ﺣﻘﻮﻕﺍﻟﻄﺒﻊ ﻭﺍﻟﻨﺸﺮ ‪Pear 2014‬‬
→Information Security Policy
■ A document that states how an organization plans to protect
its information assets and information systems and ensure
compliance with legal and regulatory requirements
❑
Asset
■
❑
Resource with a value
Information asset
*Any information item, regardless of storage format, that represents
value to the organization
■ Customer data, employee records, IT information, reputation, and brand
■
7
‫→ ﺳﻴﺎﺳﺔ ﺃﻣﻦ ﺍﻟﻤﻌﻠﻮﻣﺎﺕ‬
‫■ ﺃﻭﺛﻴﻘﺔﻳﻮﺿﺢ ﻛﻴﻒ ﺗﺨﻄﻂ ﺍﻟﻤﻨﻈﻤﺔ ﻟﺬﻟﻚﻳﺤﻤﻲ ﺇﻧﻪﺃﺻﻮﻝ ﺍﻟﻤﻌﻠﻮﻣﺎﺕﻭﻧﻈﻢ‬
‫ﺍﻟﻤﻌﻠﻮﻣﺎﺕﻭﺿﻤﺎﻥ ﺍﻻﻣﺘﺜﺎﻝ ﻟﻠﻤﺘﻄﻠﺒﺎﺕ ﺍﻟﻘﺎﻧﻮﻧﻴﺔ ﻭﺍﻟﺘﻨﻈﻴﻤﻴﺔ‬
‫❑ ﺃﺻﻞ‬
‫■ ﻣﻮﺭﺩﺫﻭ ﻗﻴﻤﺔ‬
‫❑ ﺃﺻﻮﻝﺍﻟﻤﻌﻠﻮﻣﺎﺕ‬
‫■ *ﺃﻱﻋﻨﺼﺮ ﻣﻌﻠﻮﻣﺎﺕ ‪ ،‬ﺑﻐﺾ ﺍﻟﻨﻈﺮ ﻋﻦ ﺗﻨﺴﻴﻖ ﺍﻟﺘﺨﺰﻳﻦ ‪ ،‬ﻳﻤﺜﻞ ﻗﻴﻤﺔ ﻟﻠﻤﺆﺳﺴﺔ‬
‫■ ﺑﻴﺎﻧﺎﺕﺍﻟﻌﻤﻴﻞﻭ ﺳﺠﻼﺕ ﺍﻟﻤﻮﻇﻒﻭ ﻣﻌﻠﻮﻣﺎﺕ ﺗﻜﻨﻮﻟﻮﺟﻴﺎ ﺍﻟﻤﻌﻠﻮﻣﺎﺕﻭ ﺳﻤﻌﺔ‪ ،‬ﻭﻣﺎﺭﻛﺔ‬
Successful Policy Characteristics
■
Endorsed
❑
■
Relevant
❑
■
The policy can be changed
Enforceable
❑
■
The policy can be successfully implemented
Adaptable
❑
■
The policy makes sense
Attainable
❑
■
The policy is applicable and supports the goals of the organization
Realistic
❑
■
Management supports the policy
Controls that can be used to support and enforce the policy exist
Inclusive
❑
The policy scope includes all relevant parties
‫■ ﺃﻳﺪ‬
‫❑‬
‫ﺧﺼﺎﺉﺺﺍﻟﺴﻴﺎﺳﺔ ﺍﻟﻨﺎﺟﺤﺔ‬
‫ﺍﻹﺩﺍﺭﺓﺗﺪﻋﻢ ﺍﻟﺴﻴﺎﺳﺔ‬
‫■ ﻣﻨﺎﺳﺐ‬
‫❑‬
‫ﺍﻟﺴﻴﺎﺳﺔﻗﺎﺑﻠﺔ ﻟﻠﺘﻄﺒﻴﻖ ﻭﺗﺪﻋﻢ ﺃﻫﺪﺍﻑ ﺍﻟﻤﻨﻈﻤﺔ‬
‫❑‬
‫ﺍﻟﺴﻴﺎﺳﺔﻣﻨﻄﻘﻴﺔ‬
‫❑‬
‫ﻳﻤﻜﻦﺗﻨﻔﻴﺬ ﺍﻟﺴﻴﺎﺳﺔ ﺑﻨﺠﺎﺡ‬
‫❑‬
‫ﻳﻤﻜﻦﺗﻐﻴﻴﺮ ﺍﻟﺴﻴﺎﺳﺔ‬
‫❑‬
‫ﺍﻟﻀﻮﺍﺑﻂﺍﻟﺘﻲ ﻳﻤﻜﻦ ﺍﺳﺘﺨﺪﺍﻣﻬﺎ ﻟﺪﻋﻢ ﻭﻓﺮﺽ ﺍﻟﺴﻴﺎﺳﺔ ﻣﻮﺟﻮﺩﺓ‬
‫❑‬
‫ﻳﺸﻤﻞﻧﻄﺎﻕ ﺍﻟﺴﻴﺎﺳﺔ ﺟﻤﻴﻊ ﺍﻟﻤﺴﺎﻭﺍﺓ ﺫﺍﺕ ﺍﻟﺼﻠﺔ‬
‫■ ﺣﻘﻴﻘﻲ‬
‫■ ﻳﻤﻜﻦﺗﺤﻘﻴﻘﻪ‬
‫■ ﻗﺎﺑﻞﻟﻠﺘﻜﻴﻒ‬
‫■ ﻭﺍﺟﺐﺍﻟﻨﻔﺎﺫ‬
‫■ ﺷﺎﻣﻞ‬
Defining the Role of Policy in Government
Government regulation is required to protect its critical
infrastructure and citizens
❑ Two major information security-related legislations were
introduced in Saudi Arabia
• Anti-Cyber Crime ACT.
❑
•
•
http://www.citc.gov.sa/en/RulesandSystems/CITCSystem/Pages/
CybercrimesAct.aspx
Electronic Transactions ACT
•
http://www.citc.gov.sa/en/RulesandSystems/CITCSystem/Pages/
ElectronicTransactionsLaw.aspx
9
‫ﺗﺤﺪﻳﺪﺩﻭﺭ ﺍﻟﺴﻴﺎﺳﺔ ﻓﻲ ﺍﻟﺤﻜﻮﻣﺔ‬
‫❑ ﺍﻟﺘﻨﻈﻴﻢﺍﻟﺤﻜﻮﻣﻲ ﻣﻄﻠﻮﺏ ﻝﻳﺤﻤﻲﺑﻨﻴﺘﻬﺎ ﺍﻟﺘﺤﺘﻴﺔ ﺍﻟﺤﻴﻮﻳﺔ‬
‫ﻭﺍﻟﻤﻮﺍﻃﻨﻴﻦ‬
‫❑ ﺗﻢﺗﻘﺪﻳﻢ ﺗﺸﺮﻳﻌﻴﻦ ﺭﺉﻴﺴﻴﻴﻦ ﻣﺘﻌﻠﻘﻴﻦ ﺑﺄﻣﻦ ﺍﻟﻤﻌﻠﻮﻣﺎﺕ ﻓﻲ‬
‫ﺍﻟﻤﻤﻠﻜﺔﺍﻟﻌﺮﺑﻴﺔ ﺍﻟﺴﻌﻮﺩﻳﺔ‬
‫• ﻗﺎﻧﻮﻥﻣﻜﺎﻓﺤﺔ ﺍﻟﺠﺮﺍﺉﻢ ﺍﻹﻟﻜﺘﺮﻭﻧﻴﺔ‪.‬‬
‫•‬
‫•‬
‫‪/en/RulesandSystems/CITCSystem/Pages/ CybercrimesAct.aspx‬‬
‫‪http://www.citc.gov.sa‬‬
‫ﺍﻟﻤﻌﺎﻣﻼﺕﺍﻹﻟﻜﺘﺮﻭﻧﻴﺔ ‪ACT‬‬
‫•‬
‫‪RulesandSystems/CITCSystem/Pages/ ElectronicTransactionsLaw.asp‬‬
‫‪http://www.citc.gov.sa/en/‬‬
→Information Security Policy Lifecycle
• Regardless of the type of policy, its success depends on how the
organization approaches the process of development, publishing,
adopting and reviewing the policy.
• This process is referred as the Policy Lifecycle.
10
‫→ ﺳﻴﺎﺳﺔ ﺃﻣﻦ ﺍﻟﻤﻌﻠﻮﻣﺎﺕﺩﻭﺭﺓ ﺍﻟﺤﻴﺎﺓ‬
‫• ﺭﻳﺠﺎ‬
‫ﻋﻀﻮ‬
‫ﻳﺘﺒﻨﻰ‬
‫• ﻫﺬﺍ‬
‫ﺍﻝ‬
‫ﻫﻴﻨﺞﻭ‬
Information Security Policy Lifecycle cont.
1) Policy development: There are six main tasks involved in policy
development:
a) planning – identifying the need and context of the policy,
b) researching –defining legal, regulatory requirements,
c) writing – making a document according to the audience,
d) vetting- examining,
e) approving – by all concerned department, and
f) authorizing- approval from the management.
11
‫ﻣﺘﺎﺑﻌﺔﺩﻭﺭﺓ ﺣﻴﺎﺓ ﻧﻬﺞ ﺃﻣﻦ ﺍﻟﻤﻌﻠﻮﻣﺎﺕ‪.‬‬
‫‪ (1‬ﺗﻄﻮﻳﺮ ﺍﻟﺴﻴﺎﺳﺔ‪:‬ﻫﻨﺎﻙ ﺳﺖ ﻣﻬﺎﻡ ﺭﺉﻴﺴﻴﺔ ﻣﺘﻀﻤﻨﺔ ﻓﻲ ﺗﻄﻮﻳﺮ ﺍﻟﺴﻴﺎﺳﺔ‪:‬‬
‫ﺃ)ﺍﻟﺘﺨﻄﻴﻂ‪ -‬ﺗﺤﺪﻳﺪ ﺍﻟﺤﺎﺟﺔ ﻭﺳﻴﺎﻕ ﺍﻟﺴﻴﺎﺳﺔ ‪،‬‬
‫ﺏ)ﺍﻟﺒﺤﺚ‪ -‬ﺗﺤﺪﻳﺪ ﺍﻟﻤﺘﻄﻠﺒﺎﺕ ﺍﻟﻘﺎﻧﻮﻧﻴﺔ ﻭﺍﻟﺘﻨﻈﻴﻤﻴﺔ‪ .‬ﺝ )ﻛﺘﺎﺑﺔ‪ -‬ﻋﻤﻞ‬
‫ﻭﺛﻴﻘﺔﺣﺴﺐ ﺍﻟﺠﻤﻬﻮﺭ ‪،‬‬
‫ﺩ)ﺗﺪﻗﻴﻖ‪-‬ﻓﺤﺺ ‪،‬‬
‫ﻩ)ﺍﻟﻤﻮﺍﻓﻘﺔ‪ -‬ﻣﻦ ﻗﺒﻞ ﺟﻤﻴﻊ ﺍﻟﺪﻭﺍﺉﺮ ﺍﻟﻤﻌﻨﻴﺔ ‪ ،‬ﻭ‬
‫‪-‬ﺍﻹﺫﻥ) ‪f‬ﻣﻮﺍﻓﻘﺔ ﻣﻦ ﺍﻹﺩﺍﺭﺓ‪.‬‬
Information Security Policy Lifecycle cont.
2) Policy Publication: Policies should be communicated and made
available to all parties they apply to. The company should provide
training to reinforce the policies. Creating a culture of compliance
can ensure all parties understand the importance of the policy and
actively support it.
3) Policy Adoption: The policy is implemented, monitored, and
enforced.
4) Policy Review: Policies are reviewed annually, and outdated
policies are updated or retired.
12
‫ﻣﺘﺎﺑﻌﺔﺩﻭﺭﺓ ﺣﻴﺎﺓ ﻧﻬﺞ ﺃﻣﻦ ﺍﻟﻤﻌﻠﻮﻣﺎﺕ‪.‬‬
‫‪)2‬ﺳﻴﺎﺳﺔ ﺍﻟﻨﺸﺮ‪ :‬ﻳﺠﺐ ﺗﻮﺻﻴﻞ ﺍﻟﺴﻴﺎﺳﺎﺕ ﻭﺻﻨﻌﻬﺎ‬
‫ﻣﺘﺎﺡ ﻟﺠﻤﻴﻊ ﺍﻷﻃﺮﺍﻑ ﺍﻟﺘﻲ ﻳﺘﻘﺪﻣﻮﻥ ﺇﻟﻴﻬﺎ‪ .‬ﻳﺠﺐ ﻋﻠﻰ ﺍﻟﺸﺮﻛﺔ ﺗﻮﻓﻴﺮ ﺗﻤﺮﻳﻦ ﻟﺘﻌﺰﻳﺰ‬
‫ﺍﻟﺴﻴﺎﺳﺎﺕ‪.‬ﻳﻤﻜﻦ ﺃﻥ ﻳﻀﻤﻦ ﺇﻧﺸﺎء ﺛﻘﺎﻓﺔ ﺍﻻﻣﺘﺜﺎﻝ ﻟﺠﻤﻴﻊ ﺍﻷﻃﺮﺍﻑ ﻓﻬﻢ ﺃﻫﻤﻴﺔ‬
‫ﺍﻟﺴﻴﺎﺳﺔﻭﺩﻋﻤﻬﺎ ﺑﻨﺸﺎﻁ‪.‬‬
‫‪)3‬ﺍﻋﺘﻤﺎﺩ ﺍﻟﺴﻴﺎﺳﺔ‪ :‬ﺍﻟﺴﻴﺎﺳﺔ ﻫﻲﻣﻨُﻔﺬّﻭ ﻣﺮﺍﻗﺐ‪ ،‬ﻭ‬
‫ﻓﺮﺽ‪.‬‬
‫‪)4‬ﻣﺮﺍﺟﻌﺔ ﺍﻟﺴﻴﺎﺳﺔ‪ :‬ﺍﻟﺴﻴﺎﺳﺎﺕ ﻫﻲﺍﺳﺘﻌﺮﺽ ﺳﻨﻮﻳﺎً ﻭﻋﻔﺎ ﻋﻠﻴﻬﺎ ﺍﻟﺰﻣﻦ‬
‫ﻳﺘﻢﺗﺤﺪﻳﺚ ﺍﻟﺴﻴﺎﺳﺎﺕ ﺃﻭ ﺗﻘﺎﻋﺪﻫﺎ‪.‬‬
Summary
Policies apply to governments as well as to business
organizations.
When people are grouped to achieve a common goal, policies
provide a framework that guides the company and protects the
assets of that company.
The policy lifecycle spans four phases: develop, publish, adopt,
and review.
Copyright 2014 Pearson Education, Inc.
‫ﻣﻠﺨﺺ‬
‫ﺗﻨﻄﺒﻖﺍﻟﺴﻴﺎﺳﺎﺕ ﻋﻠﻰﺍﻟﺤﻜﻮﻣﺎﺕﻭﻛﺬﻟﻚ ﺑﺎﻟﻨﺴﺒﺔﻣﻨﻈﻤﺎﺕ ﺍﻷﻋﻤﺎﻝ‪.‬‬
‫ﻋﻨﺪﻣﺎﻳﺘﻢ ﺗﺠﻤﻴﻊ ﺍﻷﺷﺨﺎﺹ ﻟﺘﺤﻘﻴﻖ ﻫﺪﻑ ﻣﺸﺘﺮﻙ ‪ ،‬ﺗﻮﻓﺮ ﺍﻟﺴﻴﺎﺳﺎﺕ ﺃﻧﻄﺎﻕ‬
‫ﺍﻟﺬﻱﻳﻮﺟﻪ ﺍﻟﺸﺮﻛﺔ ﻭﻳﺤﻤﻲﺍﻝ ﺃﺻﻮﻝﻟﺘﻠﻚ ﺍﻟﺸﺮﻛﺔ‪.‬‬
‫ﺍﻟﺴﻴﺎﺳﺔﺩﻭﺭﺓ ﺍﻟﺤﻴﺎﺓﺗﻤﺘﺪ ﻋﻠﻰ ﺃﺭﺑﻊ ﻣﺮﺍﺣﻞ‪ :‬ﺍﻟﺘﻄﻮﻳﺮ ﻭﺍﻟﻨﺸﺮ ﻭﺍﻻﻋﺘﻤﺎﺩ ﻭﺍﻟﻤﺮﺍﺟﻌﺔ‪.‬‬
‫ﺣﻘﻮﻕﺍﻟﻄﺒﻊ ﻭﺍﻟﻨﺸﺮ ‪Pear 2014‬‬
Thank
You
‫ﺷﻜﺮ‬
‫ﺃﻧﺖ‬
‫االلكترونية‬
‫السعودية‬
‫الجامعة‬
Bachelor
of Science
in
‫الجامعة السعودية االلكترونية‬
Information Technology
IT476
IT Security and Policies
26/12/2021
‫ﺑﻜﺎﻟﻮﺭﻳﻮﺱﺍﻟﻌﻠﻮﻡ ﻓﻲ ﺗﻘﻨﻴﺔ‬
‫ﺍﻟﻤﻌﻠﻮﻣﺎﺕ‬
‫‪IT476‬‬
‫ﺃﻣﻦﻭﺳﻴﺎﺳﺎﺕ ﺗﻜﻨﻮﻟﻮﺟﻴﺎ ﺍﻟﻤﻌﻠﻮﻣﺎﺕ‬
Security Program and Policies
Principles and Practices
by Sari Stern Greene
Updated 02/2018
Chapter 2: Policy Elements and
Style
‫ﺑﺮﻧﺎﻣﺞﺍﻷﻣﻦ ﻭﺍﻟﺴﻴﺎﺳﺎﺕ‬
‫ﺍﻟﻤﺒﺎﺩﺉﻭﺍﻟﻤﻤﺎﺭﺳﺎﺕ‬
‫ﺑﻘﻠﻢﺳﺎﺭﻱ ﺳﺘﻴﺮﻥ ﻏﺮﻳﻦ‬
‫ﺗﺤﺪﻳﺚ‪02/2018‬‬
‫ﺍﻟﻔﺼﻞ‪ :2‬ﻋﻨﺎﺻﺮ ﺍﻟﺴﻴﺎﺳﺔ ﻭ‬
‫ﺃﺳﻠﻮﺏ‬
Objectives




Distinguish between a policy, a standard, a baseline, a
procedure, a guideline, and a plan
Identify policy elements
Include the proper information in each element of a
policy
Know how to use “plain language”
‫ﺃﻫﺪﺍﻑ‬
‫‪-‬‬
‫ﻳﻤﻴﺰﺑﻴﻦ ﺃﺳﻴﺎﺳﺔ‪ ،‬ﺃﻣﻌﻴﺎﺭ‪ ،‬ﺃﺣﺪﻭﺩ‪ ،‬ﺃ ﺇﺟﺮﺍء‪ ،‬ﺃﺍﻟﻤﺒﺪﺃ ﺍﻟﺘﻮﺟﻴﻬﻲ‪ ،‬ﻭﺃ‬
‫ﻳﺨﻄﻂ‬
‫ﺗﻌﺮﻳﻒﻋﻨﺎﺻﺮ ﺍﻟﺴﻴﺎﺳﺔ‬
‫ﺗﻀﻤﻴﻦﺍﻟﻤﻨﺎﺳﺐﻣﻌﻠﻮﻣﺔﻓﻲ ﻛﻞﻋﻨﺼﺮﻣﻦ ﺃ ﺳﻴﺎﺳﺔ‬
‫‪-‬‬
‫ﺗﻌﺮﻑﻛﻴﻔﻴﺔ ﺍﺳﺘﺨﺪﺍﻣﻬﺎ “ﻟﻐﺔ ﺑﺴﻴﻄﺔ”‬
‫‬‫‪-‬‬
Policy Hierarchy
Policies need supporting documents for context and application
❑ Standards, baselines, guidelines, and procedures support policy
implementation
■ The relationship between a policy and its supporting documents is known as the
policy hierarchy
■ Policies reflect the guiding principles and organizational objectives
■
GUIDELINES
GUIDING
PRINCIPLES
Policy
STANDARDS
PROCEDUR
ES
BASELINES
4
‫ﺍﻟﺘﺴﻠﺴﻞﺍﻟﻬﺮﻣﻲ ﻟﻠﺴﻴﺎﺳﺔ‬
‫■ ﺍﻟﺴﻴﺎﺳﺎﺕﺑﺤﺎﺟﺔ ﺇﻟﻰ ﺩﻋﻢﻭﺛﺎﺉﻖﻟﻠﺴﻴﺎﻕ ﻭﺍﻟﺘﻄﺒﻴﻖ‬
‫❑ ﺍﻟﻤﻌﺎﻳﻴﺮﻭﺧﻄﻮﻁ ﺍﻷﺳﺎﺱﻭﺍﻟﻘﻮﺍﻋﺪ ﺍﻻﺭﺷﺎﺩﻳﺔ‪ ،‬ﻭﺇﺟﺮﺍءﺍﺕﺩﻋﻢ ﺗﻨﻔﻴﺬ ﺍﻟﺴﻴﺎﺳﺔ‬
‫■ ﺍﻝﻋﻼﻗﺔ ﺑﻴﻦ ﺃﺳﻴﺎﺳﺔﻭﺩﻋﻤﻪﻭﺛﺎﺉﻖﻳﻌُﺮﻑ ﺑﺎﺳﻢ ﺍﻟﺘﺴﻠﺴﻞ ﺍﻟﻬﺮﻣﻲ ﻟﻠﺴﻴﺎﺳﺔ‬
‫■ ﺗﻌﻜﺲﺍﻟﺴﻴﺎﺳﺎﺕﺍﻟﻤﺒﺎﺩﺉ ﺍﻟﺘﻮﺟﻴﻬﻴﺔ ﻭﺍﻷﻫﺪﺍﻑ ﺍﻟﺘﻨﻈﻴﻤﻴﺔ‬
‫ﺍﻟﻘﻮﺍﻋﺪﺍﻻﺭﺷﺎﺩﻳﺔ‬
‫ﺍﻟﺘﻮﺟﻴﻪ‬
‫ﻣﺒﺎﺩﺉ‬
‫ﺳﻴﺎﺳﺔ‬
‫ﺍﻟﻤﻌﺎﻳﻴﺮ‬
‫ﺍﻹﺟﺮﺍء‬
‫‪ES‬‬
‫ﺍﻟﺨﻄﻮﻁﺍﻷﺳﺎﺳﻴﺔ‬
Policy Hierarchy cont.
Standards (details in next slide)
❑ Dictate specific minimum requirements in policies
❑ They are specific.
❑ *Determined by management and can be changed without the Board of
Director authorization
■ *Note that standards change more often than policies
■ Baselines
❑ An aggregate of implementation standards and security controls for a
specific category or grouping such as platform (for example, Windows 7,
Mac), device type (iPad, Laptop)
■
5
‫ﻣﺘﺎﺑﻌﺔﺍﻟﺘﺴﻠﺴﻞ ﺍﻟﻬﺮﻣﻲ ﻟﻠﺴﻴﺎﺳﺔ‪.‬‬
‫■ ﺍﻟﻤﻌﺎﻳﻴﺮ)ﺍﻟﺘﻔﺎﺻﻴﻞ ﻓﻲ ﺍﻟﺸﺮﻳﺤﺔ ﺍﻟﺘﺎﻟﻴﺔ(‬
‫❑ ﺇﻣﻼءﻣﺤﺪﺩﺍﻟﺤﺪ ﺍﻷﺩﻧﻰ ﻣﻦ ﺍﻟﻤﺘﻄﻠﺒﺎﺕﻓﻲﺳﻴﺎﺳﺎﺕ‬
‫❑ ﻫﻢﻣﺤﺪﺩﻭﻥ‪.‬‬
‫❑ *ﺗﺤﺪﺩﻫﺎﺍﻹﺩﺍﺭﺓ ﻭﻳﻤﻜﻦ ﺗﻐﻴﻴﺮﻫﺎ ﺩﻭﻥ ﺗﻔﻮﻳﺾ ﻣﻦ ﻣﺠﻠﺲ ﺍﻹﺩﺍﺭﺓ‬
‫■ *ﻻﺣﻆﺃﻥ ﺍﻟﻤﻌﺎﻳﻴﺮ ﺗﺘﻐﻴﺮ ﻓﻲ ﻛﺜﻴﺮ ﻣﻦ ﺍﻷﺣﻴﺎﻥ ﺃﻛﺜﺮ ﻣﻦ ﺍﻟﺴﻴﺎﺳﺎﺕ‬
‫■ ﺧﻄﻮﻁﺍﻷﺳﺎﺱ‬
‫❑ ﺍﻥﺇﺟﻤﺎﻟﻲ ﻣﻦ ﺍﻟﺘﻨﻔﻴﺬﺍﻟﻤﻌﺎﻳﻴﺮ ﻭﺿﻮﺍﺑﻂ ﺃﻣﻨﻴﺔ ﻣﺤﺪﺩﺓﻓﺉﺔ ﺃﻭﺍﻟﺘﺠﻤﻊ ﻣﺜﻞﻣﻨﺼﺔ )ﻋﻠﻰ‬
‫ﺳﺒﻴﻞﺍﻟﻤﺜﺎﻝ ‪، (Windows 7 ، Mac ،‬ﻧﻮﻉ ﺍﻟﺠﻬﺎﺯ ( ﻛﻤﺒﻴﻮﺗﺮ ﻣﺤﻤﻮﻝ ‪)iPad ،‬‬
Example of password policy vs. password standard
■ Password policy
All users must have a unique user ID and password
❑ Users must not share their password with anyone
❑ If a password is suspected to be compromised, it must be changed
immediately
❑
■ Password standard
Minimum of 8 upper- and lowercase alphanumeric
❑ Must include at least one special characters (such as *, &, $, #, !, or @)
❑ Must not include repeating characters ex. 111
❑ Must not include the user’s name, company name
❑
6
‫ﻣﺜﺎﻝﻋﻠﻰﺳﻴﺎﺳﺔ ﻛﻠﻤﺔ ﺍﻟﻤﺮﻭﺭﺿﺪ‪.‬ﻣﻌﻴﺎﺭ ﻛﻠﻤﺔ ﺍﻟﻤﺮﻭﺭ‬
‫■ ﺳﻴﺎﺳﺔﻛﻠﻤﺔ ﺍﻟﻤﺮﻭﺭ‬
‫❑ ﻳﺠﺐﺃﻥ ﻳﻜﻮﻥ ﻟﺪﻯ ﺟﻤﻴﻊ ﺍﻟﻤﺴﺘﺨﺪﻣﻴﻦ ﻣﻌﺮﻑ ﻣﺴﺘﺨﺪﻡ ﻓﺮﻳﺪ ﻭﻛﻠﻤﺔ ﻣﺮﻭﺭ‬
‫❑ ﻳﺠﺐﻋﻠﻰ ﺍﻟﻤﺴﺘﺨﺪﻣﻴﻦ ﻋﺪﻡ ﻣﺸﺎﺭﻛﺔ ﻛﻠﻤﺔ ﺍﻟﻤﺮﻭﺭ ﺍﻟﺨﺎﺻﺔ ﺑﻬﻢ ﻣﻊ ﺃﻱ ﺷﺨﺺ‬
‫❑ ﻓﻲﺣﺎﻟﺔ ﺍﻻﺷﺘﺒﺎﻩ ﻓﻲ ﺍﺧﺘﺮﺍﻕ ﻛﻠﻤﺔ ﺍﻟﻤﺮﻭﺭ ‪ ،‬ﻳﺠﺐ ﺗﻐﻴﻴﺮﻫﺎ ﻋﻠﻰ ﺍﻟﻔﻮﺭ‬
‫■ ﻛﻠﻤﺔﺍﻟﻤﺮﻭﺭﻣﻌﻴﺎﺭ‬
‫❑ ﺍﻟﺤﺪﺍﻷﺩﻧﻰ ﻣﻦ‪ 8‬ﺃﺣﺮﻑ ﻛﺒﻴﺮﺓ ﻭﺻﻐﻴﺮﺓﺃﺑﺠﺪﻱ ﺭﻗﻤﻲ‬
‫❑ ﻳﺠﺐﺃﻥ ﻳﺘﻀﻤﻦ ﻭﺍﺣﺪﺍً ﻋﻠﻰ ﺍﻷﻗﻞﺷﺨﺼﻴﺎﺕ ﺧﺎﺻﺔ)ﻣﺜﻞ * ﺃﻭ & ﺃﻭ ‪ $‬ﺃﻭ ‪ #‬ﺃﻭ! ﺃﻭ @(‬
‫❑ ﻳﺠﺐﺃﻻ ﺗﺘﻀﻤﻦﺗﻜﺮﺍﺭ ﺍﻷﺣﺮﻑﺍﻟﺴﺎﺑﻖ‪111 .‬‬
‫❑ ﻳﺠﺐﺃﻻ ﻳﺘﻀﻤﻦﺍﺳﻢ ﺍﻟﻤﺴﺘﺨﺪﻡﻭﺍﺳﻢ ﺍﻟﺸﺮﻛﺔ‬
Policy Hierarchy cont.
■ Guidelines
Guidelines are best thought of as teaching tools.
❑ Suggestions / advice for the best way to accomplish a given task
❑
■
■
■
*Guidelines are created primarily to assist users in their goal to implement the policy
They are not mandatory
EXAMPLE: “A good way to create a strong password is to think of a phrase, song title, or
other group of words that is easy to remember and then convert it, like this:
■ I first went to Disneyland when I was 4 years old and it made me happy
I1stw2DLwIw4yrs&immH
■ Procedures (details in next slide)
❑
Method, or set of instructions, by which a policy is accomplished
■
❑
*A step-by-step approach to implementation
Four commonly used formats for procedures
■
Simple step, hierarchical, graphic, flowchart
7
‫ﻣﺘﺎﺑﻌﺔﺍﻟﺘﺴﻠﺴﻞ ﺍﻟﻬﺮﻣﻲ ﻟﻠﺴﻴﺎﺳﺔ‪.‬‬
‫■ ﺍﻟﻘﻮﺍﻋﺪﺍﻻﺭﺷﺎﺩﻳﺔ‬
‫❑ ﺍﻟﻘﻮﺍﻋﺪﺍﻻﺭﺷﺎﺩﻳﺔ ﻣﻦ ﺍﻷﻓﻀﻞ ﺍﻋﺘﺒﺎﺭﻫﺎﺃﺩﻭﺍﺕ ﺍﻟﺘﺪﺭﻳﺲ‪.‬‬
‫❑ ﺍﻗﺘﺮﺍﺣﺎﺕ ‪ /‬ﻧﺼﻴﺤﺔ ﻟﻠﺤﺼﻮﻝ ﻋﻠﻰ ﺃﻓﻀﻞ ﻃﺮﻳﻘﺔ ﻹﻧﺠﺎﺯ ﻣﻬﻤﺔ ﻣﻌﻴﻨﺔ‬
‫■‬
‫■‬
‫■‬
‫*ﻳﺘﻢﺇﻧﺸﺎء ﺍﻹﺭﺷﺎﺩﺍﺕ ﺑﺸﻜﻞ ﺃﺳﺎﺳﻲ ﻟﻤﺴﺎﻋﺪﺓ ﺍﻟﻤﺴﺘﺨﺪﻣﻴﻦ ﻓﻲ ﺗﺤﻘﻴﻖ ﻫﺪﻓﻬﻢ ﻓﻲ ﺗﻨﻔﻴﺬ ﺍﻟﺴﻴﺎﺳﺔ‬
‫ﻫﻢﻟﻴﺲ ﺇﻟﺰﺍﻣﻴﺎ‬
‫ﻣﺜﺎﻝ‪”:‬ﻣﻦ ﺍﻟﻄﺮﻕ ﺍﻟﺠﻴﺪﺓ ﻹﻧﺸﺎء ﻛﻠﻤﺔ ﻣﺮﻭﺭ ﻗﻮﻳﺔ ﺍﻟﺘﻔﻜﻴﺮ ﻓﻲ ﻣﻠﻒﻋﺒﺎﺭﺓﻭﻋﻨﻮﺍﻥ ﺍﻷﻏﻨﻴﺔ‪ ،‬ﺃﻭ ﻏﻴﺮﻫﺎﻣﺠﻤﻮﻋﺔ ﻛﻠﻤﺎﺕ‬
‫ﻳﺴﻬﻞﺗﺬﻛﺮﻩ ﺛﻢ ﺗﺤﻮﻳﻠﻪ ‪ ،‬ﻋﻠﻰ ﺍﻟﻨﺤﻮ ﺍﻟﺘﺎﻟﻲ‪:‬‬
‫■ ﺫﻫﺒﺖﻷﻭﻝ ﻣﺮﺓ ﺇﻟﻰ ﺩﻳﺰﻧﻲ ﻻﻧﺪ ﻋﻨﺪﻣﺎ ﻛﺎﻥ ﻋﻤﺮﻱ ‪ 4‬ﺳﻨﻮﺍﺕ ﻭﺃﺳﻌﺪﻧﻲ ﺫﻟﻚ ‪& immH‬‬
‫‪I1stw2DLwIw4yrs‬‬
‫■ ﺇﺟﺮﺍءﺍﺕ)ﺍﻟﺘﻔﺎﺻﻴﻞ ﻓﻲ ﺍﻟﺸﺮﻳﺤﺔ ﺍﻟﺘﺎﻟﻴﺔ(‬
‫❑ ﻃﺮﻳﻘﺔ‪ ،‬ﺃﻭﻣﺠﻤﻮﻋﺔ ﻣﻦ ﺍﻟﺘﻌﻠﻴﻤﺎﺕ‪ ،‬ﻭﺍﻟﺬﻱ ﺑﻮﺍﺳﻄﺘﻪ ﺃﺗﻢ ﺇﻧﺠﺎﺯ ﺍﻟﺴﻴﺎﺳﺔ‬
‫■‬
‫*ﻧﻬﺞﺗﺪﺭﻳﺠﻲ ﻟﻠﺘﻨﻔﻴﺬ‬
‫■‬
‫ﺧﻄﻮﺓﺑﺴﻴﻄﺔﻭﺍﻟﻬﺮﻣﻴﺔﻭﺭﺳﻢ ﺑﻴﺎﻧﻲﻭﻣﺨﻄﻂ‬
‫❑ ﺃﺭﺑﻌﺔﺗﻨﺴﻴﻘﺎﺕ ﺷﺎﺉﻌﺔ ﺍﻻﺳﺘﺨﺪﺍﻡ ﻟﻠﻌﻤﻠﻴﺔ‬
Example of procedure to change a windows password
■ Simple step procedure to change a user’s windows
password
Press and hold the Ctrl+Alt+Delete keys
❑ Click the change password option
❑ Type your current password in the top box
❑ Type your new password in both the second and third boxes
❑ Click OK and then log with your new password
❑
8
‫ﻣﺜﺎﻝﻋﻠﻰﺇﺟﺮﺍءﻟﺘﻐﻴﻴﺮ ﻛﻠﻤﺔ ﻣﺮﻭﺭ ﻭﻳﻨﺪﻭﺯ‬
‫■ ﺧﻄﻮﺓﺑﺴﻴﻄﺔﺇﺟﺮﺍء ﻟﺘﻐﻴﻴﺮ ﻛﻠﻤﺔ ﻣﺮﻭﺭ ‪ Windows‬ﻟﻠﻤﺴﺘﺨﺪﻡ‬
‫❑ ﺍﺿﻐﻂﻣﻊ ﺍﻻﺳﺘﻤﺮﺍﺭ ﻋﻠﻰ‪ Ctrl + Alt + Delete‬ﻣﻔﺎﺗﻴﺢ‬
‫❑ ﺍﻧﻘﺮﻋﻠﻰﺧﻴﺎﺭ ﺗﻐﻴﻴﺮ ﻛﻠﻤﺔ ﺍﻟﻤﺮﻭﺭ‬
‫❑ ﺍﻛﺘﺐﺍﻟﺨﺎﺹ ﺑﻚﻛﻠﻤﺔ ﺍﻟﺴﺮ ﺍﻟﺤﺎﻟﻴﺔ ﻓﻲ ﺍﻟﻤﺮﺑﻊ ﺍﻟﻌﻠﻮﻱ‬
‫❑ ﺍﻛﺘﺐﺍﻟﺨﺎﺹ ﺑﻚﻛﻠﻤﺔ ﺍﻟﻤﺮﻭﺭ ﺍﻟﺠﺪﻳﺪﺓ ﻓﻲ ﺍﻟﻤﺮﺑﻌﻴﻦ ﺍﻟﺜﺎﻧﻲ ﻭﺍﻟﺜﺎﻟﺚ‬
‫❑ ﺍﻧﻘﺮﻧﻌﻢ ﺛﻢ ﻗﻢ ﺑﺘﺴﺠﻴﻞ ﺍﻟﺪﺧﻮﻝ ﺑﺎﺳﺘﺨﺪﺍﻡ ﻛﻠﻤﺔ ﺍﻟﻤﺮﻭﺭ ﺍﻟﺠﺪﻳﺪﺓ‬
Policy Hierarchy cont.
■ Plans and Programs
Plans and programs are used interchangeably
❑ Plans are closely related to policies
❑ *Provide strategic and tactical instructions on how to execute an
initiative or respond to a situation
❑ For example, an Incident Response Policy will generally
include the requirement to publish, maintain, and test an
Incident Response Plan
❑
9
‫ﻣﺘﺎﺑﻌﺔﺍﻟﺘﺴﻠﺴﻞ ﺍﻟﻬﺮﻣﻲ ﻟﻠﺴﻴﺎﺳﺔ‪.‬‬
‫■ ﺍﻟﺨﻄﻂﻭﺍﻟﺒﺮﺍﻣﺞ‬
‫❑ ﺍﻟﺨﻄﻂﻭﺍﻟﺒﺮﺍﻣﺞﻳﺴﺘﺨﺪﻡﺑﺎﻟﺘﺒﺎﺩﻝ‬
‫❑ ﺍﻟﺨﻄﻂﻧﻜﻮﻥﺑﻌﻨﺎﻳﺔ ﻣﺘﻌﻠﻖ ﺏﺳﻴﺎﺳﺎﺕ‬
‫❑ *ﻗﺪﻡﺗﻌﻠﻴﻤﺎﺕ ﺇﺳﺘﺮﺍﺗﻴﺠﻴﺔ ﻭﺗﻜﺘﻴﻜﻴﺔ ﺣﻮﻝ ﻛﻴﻔﻴﺔ ﺗﻨﻔﻴﺬ ﻣﺒﺎﺩﺭﺓ ﺃﻭ ﺍﻻﺳﺘﺠﺎﺑﺔ‬
‫ﻟﻤﻮﻗﻒﻣﺎ‬
‫❑ ﻋﻠﻰﺳﺒﻴﻞ ﺍﻟﻤﺜﺎﻝ ‪ ،‬ﻣﻠﻒﺳﻴﺎﺳﺔ ﺍﻻﺳﺘﺠﺎﺑﺔ ﻟﻠﺤﻮﺍﺩﺙﺳﻴﺘﻀﻤﻦ‬
‫ﺑﺸﻜﻞﻋﺎﻡ ﻣﻄﻠﺐ ﻧﺸﺮ ﻭﺻﻴﺎﻧﺔ ﻭﺍﺧﺘﺒﺎﺭ ﻣﻠﻒ ﺧﻄﺔ ﺍﻻﺳﺘﺠﺎﺑﺔ ﻟﻠﺤﻮﺍﺩﺙ‬
Policy Format
Writing policy documents can be challenging.
■ Polices are complex documents that must be written to withstand legal and
controlling study while at the same time be easily read and understood by the
reader.
■ Starting point for choosing a format is identifying the policy audience.
■ *The style and format of a policy will change based on the target audience of said
policy
■ Identify and understand the audience
■ Identify the culture shared by the target audience
■ Plan the organization of the document before you start writing it.
■ One document with multiple sections?
❑ Consolidated/Combined policy sections
■ Several individual documents?
❑ Singular policy
■
10
‫ﺗﻨﺴﻴﻖﺍﻟﺴﻴﺎﺳﺔ‬
‫■ ﻛﺘﺎﺑﺔﻭﺛﺎﺉﻖ ﺍﻟﺴﻴﺎﺳﺔ ﻳﻤﻜﻦ ﺃﻥ ﺗﻜﻮﻥﺍﻟﺘﺤﺪﻱ‪.‬‬
‫■ ﺍﻟﺴﻴﺎﺳﺎﺕﻫﻲ ﻣﺴﺘﻨﺪﺍﺕ ﻣﻌﻘﺪﺓ ﻳﺠﺐ ﻛﺘﺎﺑﺘﻬﺎ ﻟﺘﺤﻤﻞ ﺍﻟﺪﺭﺍﺳﺔ ﺍﻟﻘﺎﻧﻮﻧﻴﺔ ﻭﺍﻟﺮﻗﺎﺑﺔ ﻓﻲ ﻧﻔﺲ‬
‫ﺍﻟﻮﻗﺖﻗﺮﺍءﺓ ﺑﺴﻬﻮﻟﺔﻭﻳﻔﻬﻢﺑﻮﺍﺳﻄﺔ ﻗﺎﺭﺉ‪.‬‬
‫■ ﻧﻘﻄﺔﺍﻻﻧﻄﻼﻕ ﻻﺧﺘﻴﺎﺭ ﺃﺷﻜﻞﻫﻮ ﺗﺤﺪﻳﺪﺟﻤﻬﻮﺭ ﺍﻟﺴﻴﺎﺳﺔ‪.‬‬
‫■ *ﺳﻴﺘﻐﻴﺮﺃﺳﻠﻮﺏ ﻭﺷﻜﻞ ﺍﻟﺴﻴﺎﺳﺔ ﺑﻨﺎء ًﻋﻠﻰ ﺍﻟﺠﻤﻬﻮﺭ ﺍﻟﻤﺴﺘﻬﺪﻑ ﻟﻠﺴﻴﺎﺳﺔ ﺍﻟﻤﺬﻛﻮﺭﺓ‬
‫■ ﺗﺤﺪﻳﺪﻭﻓﻬﻢ ﺍﻟﺠﻤﻬﻮﺭ‬
‫■ ﺍﻟﺘﻌﺮﻑﻋﻠﻰﺛﻘﺎﻓﺔ ﺍﻟﻤﺸﺘﺮﻛﺔ ﻣﻦ ﻗﺒﻞ ﺍﻟﺠﻤﻬﻮﺭ ﺍﻟﻤﺴﺘﻬﺪﻑ‬
‫■ ﺧﻄﺔﺗﻨﻈﻴﻢ ﺍﻟﻮﺛﻴﻘﺔﻗﺒﻞ ﺃﻥ ﺗﺒﺪﺃ ﻓﻲ ﻛﺘﺎﺑﺘﻪ‪.‬‬
‫■ ﻭﺛﻴﻘﺔﻭﺍﺣﺪﺓ ﺑﺄﻗﺴﺎﻡ ﻣﺘﻌﺪﺩﺓ؟‬
‫❑ ﺃﻗﺴﺎﻡﺍﻟﺴﻴﺎﺳﺔ ﺍﻟﻤﻮﺣﺪﺓ ‪ /‬ﺍﻟﻤﺪﻣﺠﺔ‬
‫■ ﻋﺪﺓﻭﺛﺎﺉﻖ ﻓﺮﺩﻳﺔ؟‬
‫❑ ﺳﻴﺎﺳﺔﻓﺮﺩﻳﺔ‬
Policy Components
■ Policy components
Policies include many different
sections and components
❑ Each component has a different
purpose
❑ *Clearly identify the purpose of
each element in the planning
phase before the writing part
starts
❑
Copyright 2014 Pearson Education, Inc.l
11
‫ﻣﻜﻮﻧﺎﺕﺍﻟﺴﻴﺎﺳﺔ‬
‫■ ﻣﻜﻮﻧﺎﺕﺍﻟﺴﻴﺎﺳﺔ‬
‫❑ ﺗﺘﻀﻤﻦﺍﻟﺴﻴﺎﺳﺎﺕ ﺍﻟﻌﺪﻳﺪ ﻣﻦ‬
‫ﺍﻻﺧﺘﻼﻑ ﺃﻗﺴﺎﻡﻭﻋﻨﺎﺻﺮ‬
‫❑ ﻛﻞﻣﻜﻮﻥ ﻟﻪ ﻣﺨﺘﻠﻒ ﻏﺎﻳﺔ‬
‫❑ *ﺣﺪﺩﺑﻮﺿﻮﺡ ﺍﻟﻐﺮﺽ ﻣﻦ ﻛﻞ ﻋﻨﺼﺮ‬
‫ﻓﻲﻣﺮﺣﻠﺔ ﺍﻟﺘﺨﻄﻴﻂ ﻗﺒﻞ ﺃﻥ ﻳﺒﺪﺃ ﺟﺰء‬
‫ﺍﻟﻜﺘﺎﺑﺔ‬
‫ﺣﻘﻮﻕﺍﻟﻄﺒﻊ ﻭﺍﻟﻨﺸﺮ ‪Pears 2014‬‬
Version Control
Used to keep track of the changes to the policy
■ Usually identified by a number or letter code
■ Major revisions advance by a number or letter
❑ 1.0, 2.0, 3.0
■ Minor revisions advance by a subsection
❑ 1.1, 1.2, 1.3
■ Version control documentation includes:
1. Change date
2. Name of the person(s) making the change
3. Brief synopsis of the change
4. Who authorized the change
5. The effective date of the change
■
Copyright 2014 Pearson Education, Inc.l
12
‫ﺍﻟﺘﺤﻜﻢﻓﻲ ﺍﻹﺻﺪﺍﺭ‬
‫■‬
‫■‬
‫■‬
‫■‬
‫■‬
‫ﺗﺴﺘﺨﺪﻡﻟﻼﺣﺘﻔﺎﻅﻣﺴﺎﺭﺍﻟﺘﺎﺑﻊﺍﻟﺘﻐﻴﻴﺮﺍﺕ ﻋﻠﻰ ﺍﻟﺴﻴﺎﺳﺔ‬
‫ﻋﺎﺩﺓﻳﺤﺪﺩﻩ ﺭﻗﻢﺃﻭﻛﻮﺩ ﺍﻟﺮﺳﺎﻟﺔ‬
‫ﺍﻟﻤﺮﺍﺟﻌﺎﺕﺍﻟﺮﺉﻴﺴﻴﺔﻣﻘﺪﻣﺎ ﺑﺮﻗﻢ ﺃﻭ ﺣﺮﻑ‬
‫❑‬
‫‪3.0 ، 2.0، 1.0‬‬
‫❑‬
‫‪1.3 ، 1.2، 1.1‬‬
‫ﻣﺮﺍﺟﻌﺎﺕﻃﻔﻴﻔﺔﻣﻘﺪﻣﺎ ﺑﻘﺴﻢ ﻓﺮﻋﻲ‬
‫ﺗﺘﻀﻤﻦﻭﺛﺎﺉﻖ ﺍﻟﺘﺤﻜﻢ ﻓﻲ ﺍﻹﺻﺪﺍﺭ ﻣﺎ ﻳﻠﻲ‪:‬‬
‫‪.1‬ﺗﻐﻴﻴﺮ ﺍﻟﺘﺎﺭﻳﺦ‬
‫‪.2‬ﺍﺳﻢﺷﺨﺺ)ﻕ( ﺇﺟﺮﺍء ﺍﻟﺘﻐﻴﻴﺮ‬
‫‪.3‬ﻣﻮﺟﺰﻣﻠﺨﺺ ﺍﻟﺘﻐﻴﻴﺮ‬
‫‪.4‬ﻣﻦﺃﺫﻥ ﺍﻟﺘﻐﻴﻴﺮ‬
‫‪.5‬ﺇﻥﺗﺎﺭﻳﺦ ﺍﻟﻨﻔﺎﺫﻣﻦ ﺍﻟﺘﻐﻴﻴﺮ‬
‫ﺣﻘﻮﻕﺍﻟﻄﺒﻊ ﻭﺍﻟﻨﺸﺮ ‪Pears 2014‬‬
Introduction
Provides context and meaning
■ Explains the significance of the policy
■ Explains the exemption process and the
consequences of noncompliance
■ *Reinforces the authority of the policy
■ *A separate document for a singular policy
■ *Follows the version control table and
serves as a preface for consolidated policy
■
13
‫ﻣﻘﺪﻣﺔ‬
‫■ ﻳﻮﻓﺮﺳﻴﺎﻕﻭﻣﻌﻨﻰ‬
‫■ ﻳﺸﺮﺡﺃﻫﻤﻴﺔ ﺍﻟﺴﻴﺎﺳﺔ‬
‫■ ﻳﺸﺮﺡﺍﻹﻋﻔﺎءﻋﻤﻠﻴﺔﻭ ﺍﻝ ﻋﻮﺍﻗﺐ ﻋﺪﻡ ﺍﻻﻣﺘﺜﺎﻝ‬
‫■ *ﻳﻌﺰﺯﺳﻠﻄﺔ ﺍﻟﺴﻴﺎﺳﺔ‬
‫■ *ﻭﺛﻴﻘﺔﻣﻨﻔﺼﻠﺔ ﻟﺴﻴﺎﺳﺔ ﻓﺮﺩﻳﺔ‬
‫■ *ﻳﺘﺒﻊﺟﺪﻭﻝ ﺍﻟﺘﺤﻜﻢ ﻓﻲ ﺍﻹﺻﺪﺍﺭ ﻭﻳﻌﻤﻞ ﻛﻤﻘﺪﻣﺔ‬
‫ﻟﻠﺴﻴﺎﺳﺔﺍﻟﻤﻮﺣﺪﺓ‬
Policy Headings
Identifies the policy by name and provides an overview of the policy topic or category
■ Heading serves as a section introduction and includes an overview
■ The format and content depends on the policy format
❑ *Singular policy includes:
■ Name of the organization or the division
■ Category, section, and subsection
■ Name of the author and effective date of the policy
■ Version number and approval authority
❑ *Consolidated/Combined policy document
■ *Heading serves as a section introduction and includes an overview
■
14
‫ﻋﻨﺎﻭﻳﻦﺍﻟﺴﻴﺎﺳﺔ‬
‫■‬
‫■‬
‫■‬
‫ﻳﺤﺪﺩﺍﻟﺴﻴﺎﺳﺔ ﻣﻦ ﺧﻼﻝﺍﺳﻢﻭﻳﻮﻓﺮ ﻣﻠﻒﻣﻠﺨﺺﻣﻦ ﺍﻟﺴﻴﺎﺳﺔﻋﻨﻮﺍﻥﺃﻭﻓﺉﺔ‬
‫ﺍﻟﻌﻨﻮﺍﻥﺑﻤﺜﺎﺑﺔ ﻣﻠﻒﻣﻘﺪﻣﺔ ﺍﻟﻘﺴﻢﻭﻳﺘﻀﻤﻦﻣﻠﺨﺺ‬
‫ﺷﻜﻞﻭﻣﺤﺘﻮﻯ ﻳﻌﺘﻤﺪ ﻋﻠﻰ ﺗﻨﺴﻴﻖ ﺍﻟﺴﻴﺎﺳﺔ‬
‫❑ *ﺗﺸﻤﻞﺍﻟﺴﻴﺎﺳﺔ ﺍﻟﻔﺮﺩﻳﺔ‪:‬‬
‫■ ﺍﺳﻢﺍﻟﻤﻨﻈﻤﺔ ﺃﻭ ﺍﻟﻘﺴﻢ‬
‫■ ﺍﻟﻔﺉﺔﻭﺍﻟﻘﺴﻢ ﻭﺍﻟﻘﺴﻢ ﺍﻟﻔﺮﻋﻲ‬
‫■ ﺍﺳﻢﺍﻟﻤﺆﻟﻒ ﻭﺗﺎﺭﻳﺦ ﻧﻔﺎﺫ ﺍﻟﺴﻴﺎﺳﺔ‬
‫■ ﺭﻗﻢﺍﻹﺻﺪﺍﺭ ﻭﺳﻠﻄﺔ ﺍﻟﻤﻮﺍﻓﻘﺔ‬
‫❑ *ﻭﺛﻴﻘﺔﺍﻟﺴﻴﺎﺳﺔ ﺍﻟﻤﻮﺣﺪﺓ ‪ /‬ﺍﻟﻤﺪﻣﺠﺔ‬
‫■ *ﺍﻟﻌﻨﻮﺍﻥﺑﻤﺜﺎﺑﺔ ﻣﻘﺪﻣﺔ ﻗﺴﻢ ﻭﻳﺘﻀﻤﻦ ﻧﻈﺮﺓ ﻋﺎﻣﺔ‬
Policy Goals and Objectives
What is the goal of the policy?
■ Introduces the employee to the policy content and conveys the intent of the policy
■ *One policy may have several objectives
■ *Singular policy objectives are located in the policy heading or in the body of the
document
■ *Consolidated policy objectives are grouped after the policy heading
■
15
‫ﺃﻫﺪﺍﻑﻭﻏﺎﻳﺎﺕ ﺍﻟﺴﻴﺎﺳﺔ‬
‫■ ﻣﺎﻫﻮ ﻣﻠﻒﻫﺪﻑ ﺍﻟﺴﻴﺎﺳﺔ؟‬
‫■ ﻳﻘﺪﻡﺍﻟﻤﻮﻇﻒ ﺇﻟﻰ ﻣﺤﺘﻮﻯ ﺍﻟﺴﻴﺎﺳﺔ ﻭﻳﻨﻘﻞ ﺍﻟﻘﺼﺪ ﻣﻦ ﺍﻟﺴﻴﺎﺳﺔ‬
‫■ *ﻗﺪﻳﻜﻮﻥ ﻟﺴﻴﺎﺳﺔ ﻭﺍﺣﺪﺓ ﻋﺪﺓ ﺃﻫﺪﺍﻑ‬
‫■ *ﺗﻮﺟﺪﺃﻫﺪﺍﻑ ﺍﻟﺴﻴﺎﺳﺔ ﺍﻟﻔﺮﺩﻳﺔ ﻓﻲ ﻋﻨﻮﺍﻥ ﺍﻟﺴﻴﺎﺳﺔ ﺃﻭ ﻓﻲ ﻧﺺ ﺍﻟﻮﺛﻴﻘﺔ‬
‫■ *ﻳﺘﻢﺗﺠﻤﻴﻊ ﺃﻫﺪﺍﻑ ﺍﻟﺴﻴﺎﺳﺔ ﺍﻟﻤﻮﺣﺪﺓ ﺑﻌﺪ ﻋﻨﻮﺍﻥ ﺍﻟﺴﻴﺎﺳﺔ‬
Policy Statement
Why does the policy exist?
❑ What rules need to be followed?
❑ How will the policy be implemented?
❑
16
‫ﺑﻴﺎﻥﺍﻟﺴﻴﺎﺳﺔ‬
‫❑ ﻟﻤﺎﺫﺍﺍﻟﺴﻴﺎﺳﺔﻳﺨﺮﺝ؟‬
‫❑ ﻣﺎﺫﺍﻗﻮﺍﻋﺪﻳﺤﺘﺎﺝ ﻷﻥ ﻳﻜﻮﻥﻳﺘﺒﻊ؟‬
‫❑ ﻛﻴﻒﺳﺘﻜﻮﻥ ﺍﻟﺴﻴﺎﺳﺔﻣﻨُﻔﺬّ؟‬
*Policy Statement
■ High-level directive or strategic roadmap
Focuses on the specifics of how the policy will be implemented
❑ It’s a list of all the rules that need to be followed
❑ Constitutes the bulk of the policy
❑ Standards, procedures, and guidelines are not a part of the Policy
Statement. They can, however, be referenced in that section
❑
‫* ﺑﻴﺎﻥ ﺍﻟﺴﻴﺎﺳﺔ‬
‫■ ﺗﻮﺟﻴﻪﻋﺎﻟﻲ ﺍﻟﻤﺴﺘﻮﻯﺃﻭ ﺇﺳﺘﺮﺍﺗﻴﺠﻲﺧﺮﻳﻄﺔ ﺍﻟﻄﺮﻳﻖ‬
‫❑ ﻳﺮﻛﺰﻋﻠﻰ ﺗﻔﺎﺻﻴﻞ ﻛﻴﻔﻴﺔ ﺗﻨﻔﻴﺬ ﺍﻟﺴﻴﺎﺳﺔ‬
‫❑ ﺇﻧﻬﺎﻗﺎﺉﻤﺔ ﺑﺠﻤﻴﻊ ﺍﻟﻘﻮﺍﻋﺪ ﺍﻟﺘﻲ ﻳﺠﺐ ﺍﺗﺒﺎﻋﻬﺎ‬
‫❑ ﻳﺸﻜﻞﺍﻟﺠﺰء ﺍﻷﻛﺒﺮ ﻣﻦ ﺍﻟﺴﻴﺎﺳﺔ‬
‫❑ ﺍﻟﻤﻌﺎﻳﻴﺮﻭﺍﻹﺟﺮﺍءﺍﺕ ﻭﺍﻟﻤﺒﺎﺩﺉ ﺍﻟﺘﻮﺟﻴﻬﻴﺔ ﻟﻴﺴﺖ ﺟﺰءﺍً ﻣﻦ ﺑﻴﺎﻥ ﺍﻟﺴﻴﺎﺳﺔ‪ .‬ﻭﻣﻊ‬
‫ﺫﻟﻚ ‪،‬ﻳﻤﻜﻦ ﺍﻟﺮﺟﻮﻉ ﺇﻟﻴﻬﺎ ﻓﻲ ﻫﺬﺍ ﺍﻟﻘﺴﻢ‬
Policy Exceptions
Not all rules are applicable 100% of the time.
■ *Exceptions do not invalidate the rules, as much as they complement them by
listing alternative situations.
■ Language used in this section must be clear, accurate, and concise so as not to
create loopholes/ambiguity.
■ Keep the number of exceptions low.
■
‫ﺍﺳﺘﺜﻨﺎءﺍﺕﺍﻟﺴﻴﺎﺳﺔ‬
‫■ ﻟﻴﺲﻛﻞ ﺍﻟﻘﻮﺍﻋﺪﻗﺎﺑﻠﺔ ﻟﻠﺘﻄﺒﻴﻖ‪ 100٪‬ﻣﻦ ﺍﻟﻮﻗﺖ‪.‬‬
‫■ *ﺍﻻﺳﺘﺜﻨﺎءﺍﺕﻻ ﺗﺒﻄﻞ ﺍﻟﻘﻮﺍﻋﺪ ‪ ،‬ﺑﻘﺪﺭ ﻣﺎ ﺗﻜﻤﻠﻬﺎ ﻣﻦ ﺧﻼﻝ ﺳﺮﺩ ﺍﻟﻤﻮﺍﻗﻒ ﺍﻟﺒﺪﻳﻠﺔ‪.‬‬
‫■ ﻟﻐﺔﺍﻟﻤﺴﺘﺨﺪﻡ ﻓﻲ ﻫﺬﺍ ﺍﻟﻘﺴﻢ ﻳﺠﺐ ﺃﻥ ﻳﻜﻮﻥﻭﺍﺿﺢﻭﺩﻗﻴﻖ‪ ،‬ﻭﻣﻮﺟﺰﺓ ﺣﺘﻰ ﻻ ﺗﺨﻠﻖ ﺛﻐﺮﺍﺕ ‪ /‬ﻏﻤﻮﺽ‪.‬‬
‫■ ﻳﺤﻔﻆﺍﻝﻋﺪﺩ ﺍﻻﺳﺘﺜﻨﺎءﺍﺕ ﻣﻨﺨﻔﺾ‪.‬‬
Policy Enforcement Clause
Rules and penalty for not following them should be listed in the same document
■ The level of the severity of the penalty should match the level of severity and
nature of the infraction/violation
■ Penalties should not be enforced against employees who were not trained on the
policy rules they are expected to follow
■
Copyright 2014 Pearson Education, Inc.l
19
‫ﺑﻨﺪﺇﻧﻔﺎﺫ ﺍﻟﺴﻴﺎﺳﺔ‬
‫■ ﻗﻮﺍﻋﺪﻭﺟﺰﺍءﻟﻌﺪﻡ ﺍﺗﺒﺎﻋﻬﻢ ﻳﺠﺐ ﺃﻥ ﻳﻜﻮﻥﺍﻟﻤﺪﺭﺟﺔﻓﻲ ﻧﻔﺲ ﺍﻟﻮﺛﻴﻘﺔ‬
‫■ ﻣﺴﺘﻮﻯﺷﺪﺓ ﺍﻟﻌﻘﻮﺑﺔﻳﺠﺐ ﺃﻥ ﻳﺘﻄﺎﺑﻖ ﻣﻊﻣﺴﺘﻮﻯ ﺍﻟﺨﻄﻮﺭﺓﻭ ﻃﺒﻴﻌﺔ ﺍﻟﻤﺨﺎﻟﻔﺔ‬
‫■ ﻻﻳﻨﺒﻐﻲ ﺗﻄﺒﻴﻖ ﺍﻟﻌﻘﻮﺑﺎﺕﺿﺪ ﺍﻟﻤﻮﻇﻔﻴﻦﻣﻦ ﻛﺎﻥﻏﻴﺮ ﻣﺪﺭﺏﻋﻠﻰ ﻗﻮﺍﻋﺪ ﺍﻟﺴﻴﺎﺳﺔ ﺍﻟﺘﻲ ﻳﺘﻮﻗﻊ ﻣﻨﻬﻢ‬
‫ﺍﺗﺒﺎﻋﻬﺎ‬
‫ﺣﻘﻮﻕﺍﻟﻄﺒﻊ ﻭﺍﻟﻨﺸﺮ ‪Pears 2014‬‬
Administrative Notations
Provides a reference to an internal resource or refers to additional information.
■ Include regulatory cross-references, the name of corresponding document
(standard, guideline, and so on), supporting documentation (annual reports, job
descriptions), policy author name and contact information
■
‫ﺗﺪﻭﻳﻨﺎﺕﺇﺩﺍﺭﻳﺔ‬
‫■ ﻳﻮﻓﺮﺃﻣﺮﺟﻊﺇﻟﻰﺍﻟﻤﻮﺍﺭﺩ ﺍﻟﺪﺍﺧﻠﻴﺔﺃﻭ ﻳﺸﻴﺮ ﺇﻟﻰﻣﻌﻠﻮﻣﺎﺕ ﺇﺿﺎﻓﻴﺔ‪.‬‬
‫■ ﺗﺸﻤﻞﺍﻟﺘﻨﻈﻴﻢﺍﻹﺳﻨﺎﺩﺍﺕ ﺍﻟﺘﺮﺍﻓﻘﻴﺔ‪ ،‬ﺍﻝﺍﺳﻢ ﺍﻟﻮﺛﻴﻘﺔ ﺍﻟﻤﻘﺎﺑﻠﺔ )ﺍﻟﻤﻌﻴﺎﺭ ‪ ،‬ﺍﻟﺘﻮﺟﻴﻪ ‪ ،‬ﻭﻣﺎ ﺇﻟﻰ ﺫﻟﻚ( ‪،‬‬
‫ﺍﻟﻮﺛﺎﺉﻖﺍﻟﺪﺍﻋﻤﺔ)ﺍﻟﺘﻘﺎﺭﻳﺮ ﺍﻟﺴﻨﻮﻳﺔ ‪ ،‬ﺍﻟﻮﺻﻒ ﺍﻟﻮﻇﻴﻔﻲ( ‪،‬ﺍﺳﻢ ﻣﺆﻟﻒ ﺍﻟﺴﻴﺎﺳﺔﻭﻣﻌﻠﻮﻣﺎﺕ ﺍﻻﺗﺼﺎﻝ‬
Policy Definitions
The glossary of the policy document
❑ Created and included to further enhance employee understanding of the policy
and rules
❑ *Renders the policy a more efficient document
❑ *The target audience(s) should be defined prior to the creation of the glossary
❑ *Useful to show due diligence of the company in terms of explaining the rules to
the employees during potential litigation
❑
‫ﺗﻌﺮﻳﻔﺎﺕﺍﻟﺴﻴﺎﺳﺔ‬
‫❑ ﺍﻝﻗﺎﺉﻤﺔ ﺍﻟﻤﺼﻄﻠﺤﺎﺕﻭﺛﻴﻘﺔ ﺍﻟﺴﻴﺎﺳﺔ‬
‫❑ ﺗﻢﺇﻧﺸﺎﺅﻫﺎ ﻭﺗﻀﻤﻴﻨﻬﺎ ﺇﻟﻰ ﻣﺰﻳﺪﺗﻌﺰﻳﺰ ﻓﻬﻢ ﺍﻟﻤﻮﻇﻒﺍﻟﺘﺎﺑﻊﺳﻴﺎﺳﺔ ﻭﻗﻮﺍﻋﺪ‬
‫❑ *ﻳﺠﻌﻞﺍﻟﺴﻴﺎﺳﺔ ﻭﺛﻴﻘﺔ ﺃﻛﺜﺮ ﻛﻔﺎءﺓ‬
‫❑ *ﻳﺠﺐﺗﺤﺪﻳﺪ ﺍﻟﺠﻤﻬﻮﺭ )ﺍﻟﺠﻤﻬﻮﺭ( ﺍﻟﻤﺴﺘﻬﺪﻑ ﻗﺒﻞ ﺇﻧﺸﺎء ﺍﻟﻤﺴﺮﺩ‬
‫❑ *ﻣﻦﺍﻟﻤﻔﻴﺪ ﺇﻇﻬﺎﺭ ﺍﻟﻌﻨﺎﻳﺔ ﺍﻟﻮﺍﺟﺒﺔ ﻟﻠﺸﺮﻛﺔ ﻣﻦ ﺣﻴﺚ ﺷﺮﺡ ﺍﻟﻘﻮﺍﻋﺪ ﻟﻠﻤﻮﻇﻔﻴﻦ ﺃﺛﻨﺎء ﺍﻟﺘﻘﺎﺿﻲ‬
‫ﺍﻟﻤﺤﺘﻤﻞ‬
Writing Style and Technique
■ *Sets the first impression
■ Policies should be written using plain language
■ Plain language means:
Simplest, most straightforward way to express an idea
• Follow The Plain Language Action and Information Network (PLAIN)
guidelines (http://plainlanguage.gov)
❑ A group of federal employees from many different agencies
and specialties, who support the use of clear communication
in government writing
❑
‫ﺃﺳﻠﻮﺏﺍﻟﻜﺘﺎﺑﺔ ﻭﺍﻟﺘﻘﻨﻴﺔ‬
‫■ *ﻳﺤﺪﺩﺍﻻﻧﻄﺒﺎﻉ ﺍﻷﻭﻝ‬
‫■ ﻳﺠﺐﻛﺘﺎﺑﺔ ﺍﻟﺴﻴﺎﺳﺎﺕ ﺑﺎﺳﺘﺨﺪﺍﻡﻟﻐﺔ ﺑﺴﻴﻄﺔ‬
‫■ ﻟﻐﺔﻣﺒﺴﻄﺔ ﺗﻌﻨﻲ‪:‬‬
‫❑ ﺃﺑﺴﻂﻭﺍﻷﻛﺜﺮ ﻭﺿﻮﺣﺎﻃﺮﻳﻖ ﺍﻟﻰﻳﻌﺒﺮ ﻋﻦ ﻓﻜﺮﺓ‬
‫• ﺍﺗﺒﻊ ﺇﺟﺮﺍءﺍﺕ ﺍﻟﻠﻐﺔ ﺍﻟﺒﺴﻴﻄﺔ ﻭﺷﺒﻜﺔ ﺍﻟﻤﻌﻠﻮﻣﺎﺕ )ﺳﻬﻞ( ﺍﻟﻘﻮﺍﻋﺪ ﺍﻻﺭﺷﺎﺩﻳﺔ )‬
‫(‪http://plainlanguage.gov‬‬
‫❑ ﺃﻣﺠﻤﻮﻋﺔﻣﻦ ﺍﻟﻤﻮﻇﻔﻴﻦ ﺍﻻﺗﺤﺎﺩﻳﻴﻦ ﻣﻦ ﺍﻟﻌﺪﻳﺪ ﻣﻦ ﺍﻟﻮﻛﺎﻻﺕ ﻭﺍﻟﺘﺨﺼﺼﺎﺕ‬
‫ﺍﻟﻤﺨﺘﻠﻔﺔ ‪،‬ﺍﻟﺬﻳﻦﺩﻋﻢ ﺍﺳﺘﺨﺪﺍﻡ ﺍﻟﺘﻮﺍﺻﻞ ﺍﻟﻮﺍﺿﺢ ﻓﻲ ﺍﻟﻜﺘﺎﺑﺔ ﺍﻟﺤﻜﻮﻣﻴﺔ‬
The Plain Language Action and
Information Network (PLAIN)
guidelines
■ Write for your audience
■ Write short sentences
■ Limit a paragraph to one subject
■ Be concise
■ Don’t use jargon/nonsense or technical terms
■ Use active voice
■ Use must not shall
■ Use words and terms consistently through your document
‫ﺷﺒﻜﺔﺍﻟﻌﻤﻞ ﻭﺍﻟﻤﻌﻠﻮﻣﺎﺕ ﺑﻠﻐﺔ ﻣﺒﺴﻄﺔ‬
‫)‪(PLAIN‬‬
‫ﺟﻲ‬
‫ﻝ‬
‫■ﺵﺩﺑﻠﻴﻮﺩﺭﻱﻩﻩﻟﻲ‪F‬ﻥﺹﻩﺫﺱﺟﻤﻬﻮﺭﻧﺎ‬
‫■ ﻳﻜﺘﺐﺟﻤﻞ ﻗﺼﻴﺮﺓ‬
‫■ ﺍﻟﺤﺪﺃﻓﻘﺮﺓﻝﻣﻮﺿﻮﻉ ﻭﺍﺣﺪ‬
‫■ ﻳﻜﻮﻥﻣﺨﺘﺼﺮﺍ‬
‫■ ﻻﺗﺴﺘﺨﺪﻡﺍﻟﻤﺼﻄﻠﺤﺎﺕ ‪ /‬ﻫﺮﺍءﺃﻭﺍﺻِﻄﻼِﺣﻲِّﺷﺮﻭﻁ‬
‫■ ﻳﺴﺘﺨﺪﻡﺍﻟﺼﻮﺕ ﺍﻟﻨﺸﻂ‬
‫■ ﻳﺠﺐﺃﻻ ﻳﺴﺘﺨﺪﻡ‬
‫■ ﻳﺴﺘﺨﺪﻡﻛﻠﻤﺎﺕﻭﺍﻟﺸﺮﻭﻁ ﺑﺎﺳﺘﻤﺮﺍﺭﻣﻦ ﺧﻼﻝ ﺍﻟﺨﺎﺹ ﺑﻚﻭﺛﻴﻘﺔ‬
Summary
The structure of the policy documents ease the maintenance and
creation of the overall document.
❑ A successful policy sets forth requirements (standards), ways for
employees to act according to the policy (guidelines) and actual
procedures.
❑ A policy is a complex set of individual documents that build upon
each other to convey the message to all employees of the
organization in an efficient fashion.
❑
‫ﻣﻠﺨﺺ‬
‫❑ ﻫﻴﻜﻞﻭﺛﺎﺉﻖ ﺍﻟﺴﻴﺎﺳﺔ ﻳﺴﻬﻞ ﺻﻴﺎﻧﺔ ﻭﺇﻧﺸﺎء ﺍﻟﻮﺛﻴﻘﺔ ﺍﻟﺸﺎﻣﻠﺔ‪.‬‬
‫❑ ﺗﺤﺪﺩﺍﻟﺴﻴﺎﺳﺔ ﺍﻟﻨﺎﺟﺤﺔ ﺍﻟﻤﺘﻄﻠﺒﺎﺕ )ﺍﻟﻤﻌﺎﻳﻴﺮ( ‪ ،‬ﻭﻃﺮﻕ ﺗﺼﺮﻑ ﺍﻟﻤﻮﻇﻔﻴﻦ ﻭﻓﻘﺎً‬
‫ﻟﻠﺴﻴﺎﺳﺔ)ﺍﻹﺭﺷﺎﺩﺍﺕ( ﻭﺍﻹﺟﺮﺍءﺍﺕ ﺍﻟﻔﻌﻠﻴﺔ‪.‬‬
‫❑ ﺍﻟﺴﻴﺎﺳﺔﻫﻲ ﻣﺠﻤﻮﻋﺔ ﻣﻌﻘﺪﺓ ﻣﻦ ﺍﻟﻤﺴﺘﻨﺪﺍﺕ ﺍﻟﻔﺮﺩﻳﺔ ﺍﻟﺘﻲ ﺗﻌﺘﻤﺪ ﻋﻠﻰ ﺑﻌﻀﻬﺎ‬
‫ﺍﻟﺒﻌﺾﻟﻨﻘﻞ ﺍﻟﺮﺳﺎﻟﺔ ﺇﻟﻰ ﺟﻤﻴﻊ ﻣﻮﻇﻔﻲ ﺍﻟﻤﻨﻈﻤﺔ ﺑﻄﺮﻳﻘﺔ ﻓﻌﺎﻟﺔ‪.‬‬
‫االلكترونية‬
‫السعودية‬
‫الجامعة‬
Bachelor
of Science
in
‫الجامعة السعودية االلكترونية‬
Information Technology
IT476
IT Security and Policies
26/12/2021
‫ﺑﻜﺎﻟﻮﺭﻳﻮﺱﺍﻟﻌﻠﻮﻡ ﻓﻲ ﺗﻘﻨﻴﺔ‬
‫ﺍﻟﻤﻌﻠﻮﻣﺎﺕ‬
‫‪IT476‬‬
‫ﺃﻣﻦﻭﺳﻴﺎﺳﺎﺕ ﺗﻜﻨﻮﻟﻮﺟﻴﺎ ﺍﻟﻤﻌﻠﻮﻣﺎﺕ‬
Security Program and Policies
Principles and Practices
by Sari Stern Greene
Updated 02/2018
Chapter 3: Information Security
Framework
‫ﺑﺮﻧﺎﻣﺞﺍﻷﻣﻦ ﻭﺍﻟﺴﻴﺎﺳﺎﺕ‬
‫ﺍﻟﻤﺒﺎﺩﺉﻭﺍﻟﻤﻤﺎﺭﺳﺎﺕ‬
‫ﺑﻘﻠﻢﺳﺎﺭﻱ ﺳﺘﻴﺮﻥ ﻏﺮﻳﻦ‬
‫ﺗﺤﺪﻳﺚ‪02/2018‬‬
‫ﺍﻟﻔﺼﻞ‪ :3‬ﺃﻣﻦ ﺍﻟﻤﻌﻠﻮﻣﺎﺕ‬
‫ﻧﻄﺎﻕ‬
Objectives
 Recognize the importance of the CIA security model and
describe the security objectives of confidentiality, integrity, and
availability
 Discuss why organizations choose to adopt a security
framework
 Recognize the values of NIST resources
 Understand the intent of ISO/IEC 27000-series of information
security standards
 Outline the domains of an information security program
‫ﺃﻫﺪﺍﻑ‬
‫ ﺍﻟﺘﻌﺮﻑﻋﻠﻰ ﺃﻫﻤﻴﺔﻧﻤﻮﺫﺝ ﺃﻣﺎﻥ ‪CIA‬ﻭﻭﺻﻒ ﺃﻫﺪﺍﻑ ﺍﻷﻣﺎﻥ ﻣﻦ ﺍﻟﺴﺮﻳﺔ‬‫ﻭﺍﻟﻨﺰﺍﻫﺔﻭﺍﻟﺘﻮﺍﻓﺮ‬
‫ ﻧﺎﻗﺶﻟﻤﺎﺫﺍ ﺗﺨﺘﺎﺭ ﺍﻟﻤﻨﻈﻤﺎﺕ ﺗﺒﻨﻲ ﺃﺇﻃﺎﺭ ﺃﻣﻨﻲ‬‫ ﺍﻟﺘﻌﺮﻑﻋﻠﻰ ﻗﻴﻢﻣﻮﺍﺭﺩ ‪NIST‬‬‫ ﺍﻓﻬﻢﺍﻟﻘﺼﺪ ﻣﻦﺳﻠﺴﻠﺔ ‪ISO / IEC 27000‬ﺃﻣﻦ ﺍﻟﻤﻌﻠﻮﻣﺎﺕﺍﻟﻤﻌﺎﻳﻴﺮ‬‫‪ -‬ﺣﺪﺩﻣﺠﺎﻻﺕﺑﺮﻧﺎﻣﺞ ﺃﻣﻦ ﺍﻟﻤﻌﻠﻮﻣﺎﺕ‬
CIA
 The CIA Triad ‫الثي‬
(
‫ )ث‬or CIA security model
 Stands for Confidentiality, Integrity, and Availability
 An attack against either or several of the elements of the CIA triad is
an attack against the Information Security of the organization.
 Protecting the CIA triad means protecting the assets of the company.
‫‪CIA‬‬
‫ ﺍﻝﺛﺎﻟﻮﺙ ﻭﻛﺎﻟﺔ ﺍﻟﻤﺨﺎﺑﺮﺍﺕ ﺍﻟﻤﺮﻛﺰﻳﺔﻱ)ﺛﻼ ﺙ(ﺃﻭﻧﻤﻮﺫﺝ ﺃﻣﺎﻥ ‪CIA‬‬‫‪ -‬ﺗﻤﺜﻞﺳﺮﻳﺔﻭﻧﺰﺍﻫﺔ‪ ،‬ﻭﺍﻟﺘﻮﻓﺮ‬
‫ ﺍﻥﻫﺠﻮﻡ ﺿﺪ ﺃﺣﺪ ﺃﻭ ﺃﻛﺜﺮ ﻣﻦ ﻋﻨﺎﺻﺮ ﺛﺎﻟﻮﺙ ﻭﻛﺎﻟﺔ ﺍﻟﻤﺨﺎﺑﺮﺍﺕ ﺍﻟﻤﺮﻛﺰﻳﺔ ﻫﻮﻫﺠﻮﻡ ﺿﺪ‬‫ﺃﻣﻦﺍﻟﻤﻌﻠﻮﻣﺎﺕ ﻓﻲ ﺍﻟﻤﻨﻈﻤﺔ‪.‬‬
‫‪ -‬ﺣﻤﺎﻳﺔ ﺍﻝﺛﺎﻟﻮﺙ ﻭﻛﺎﻟﺔ ﺍﻟﻤﺨﺎﺑﺮﺍﺕ ﺍﻟﻤﺮﻛﺰﻳﺔ ﻭﺳﺎﺉﻞﺣﻤﺎﻳﺔ ﺃﺻﻮﻝ ﺍﻟﺸﺮﻛﺔ‪.‬‬
CIA
 The Federal Information Security Management Act (FISMA) defines the
relationship between information security and the CIA triad as follows:
 “Information security” means protecting information and information systems
in order to provide:
 Integrity
 Confidentiality and
 Availability
 Organizations may consider all three
components of the CIA triad equally
important, *in which case resources
must be allocated proportionately.
‫‪CIA‬‬
‫ ﺍﻝﻗﺎﻧﻮﻥ ﺇﺩﺍﺭﺓ ﺃﻣﻦ ﺍﻟﻤﻌﻠﻮﻣﺎﺕ ﺍﻟﻔﻴﺪﺭﺍﻟﻲ )‪(FISMA‬ﻳﺤﺪﺩ ﺍﻝ ﻋﻼﻗﺔ ﺑﻴﻦﺃﻣﻦ ﺍﻟﻤﻌﻠﻮﻣﺎﺕﻭ‬‫ﺍﻝﺛﺎﻟﻮﺙ ﻭﻛﺎﻟﺔ ﺍﻟﻤﺨﺎﺑﺮﺍﺕ ﺍﻟﻤﺮﻛﺰﻳﺔﻋﻠﻰ ﺍﻟﻨﺤﻮ ﺍﻟﺘﺎﻟﻲ‪:‬‬
‫”ﺃﻣﻦ ﺍﻟﻤﻌﻠﻮﻣﺎﺕ” ﻭﺳﺎﺉﻞﺣﻤﺎﻳﺔ ﻧﻈﻢ ﺍﻟﻤﻌﻠﻮﻣﺎﺕ ﻭﺍﻟﻤﻌﻠﻮﻣﺎﺕ ﻣﻦ ﺃﺟﻞ ﺗﻮﻓﻴﺮ‪:‬‬‫ ﻧﺰﺍﻫﺔ‬‫ ﺍﻟﺴﺮﻳﺔﻭ‬‫‪ -‬ﺍﻟﺘﻮﻓﺮ‬
‫ ﻗﺪﺗﻨﻈﺮ ﺍﻟﻤﻨﻈﻤﺎﺕ ﻓﻲ ﻛﻞ ﺷﻲءﺛﻼﺛﺔ ﻣﻜﻮﻧﺎﺕ‬‫ﺛﺎﻟﻮﺙﻭﻛﺎﻟﺔ ﺍﻟﻤﺨﺎﺑﺮﺍﺕ ﺍﻟﻤﺮﻛﺰﻳﺔﺑﻨﻔﺲ ﺍﻟﻘﺪﺭ‬
‫ﻣﻦﺍﻷﻫﻤﻴﺔ‪ * ،‬ﻓﻲ ﻫﺬﻩ ﺍﻟﺤﺎﻟﺔ ﻳﺠﺐ‬
‫ﺗﺨﺼﻴﺺﺍﻟﻤﻮﺍﺭﺩ ﺑﺸﻜﻞ ﻣﺘﻨﺎﺳﺐ‪.‬‬
What Is Confidentiality?
 When you tell a friend something “in confidence,” you expect them to keep the information
private and to not share what you told them with anyone else without your permission.
 Confidentiality is the ability not to release information to unauthorized persons,
programs, or processes.
 Confidentiality means preserving authorized restrictions on access and disclosure,
including means for protecting personal privacy and proprietary information.
 *Not all data owned by the company should be made available to the public
 Failing to protect data confidentiality can be disastrous for an organization:
 Dissemination of Protected Health Information (PHI) between doctor and patient
 Dissemination of Protected Financial Information (PFI) between bank and customer
 Dissemination of business-critical information to rival company
‫ﻣﺎﻫﻮﺳﺮﻳﺔ؟‬
‫ ﻋﻨﺪﻣﺎﺗﺨﺒﺮ ﺻﺪﻳﻖﺷﺊ ﻣﺎ “ﺑﺜﻘﺔ‪” ،‬ﺗﺘﻮﻗﻊ ﻣﻨﻬﻢﺍﺣﺘﻔﻆ ﺑﺎﻟﻤﻌﻠﻮﻣﺎﺕ ﺧﺎﺹ ﻭ ﻝﻻ ﺗﺸﺎﺭﻙ ﻣﺎ ﻗﻠﺘﻪ ﻟﻬﻢ ﻣﻊ ﺃﻱ‬‫ﺷﺨﺺﺁﺧﺮ ﺩﻭﻥ ﺇﺫﻧﻚ‪.‬‬
‫ ﺳﺮﻳﺔﻫﻲ ﺍﻟﻘﺪﺭﺓﻋﺪﻡ ﺍﻹﻓﺮﺍﺝﻣﻌﻠﻮﻣﺎﺕ ﻏﻴﺮ ﻣﺼﺮﺡ ﺑﻬﺎﺍﻷﺷﺨﺎﺹﻭ ﺍﻟﺒﺮﺍﻣﺞ‪ ،‬ﺃﻭﺍﻟﻌﻤﻠﻴﺎﺕ‪.‬‬‫ ﺳﺮﻳﺔﻭﺳﺎﺉﻞﺍﻟﺤﻔﺎﻅ ﻋﻠﻰ ﺍﻟﻘﻴﻮﺩ ﺍﻟﻤﺼﺮﺡ ﺑﻬﺎﻋﻠﻰﻭﺻﻮﻝﻭﺇﻓﺸﺎء‪ ،‬ﺑﻤﺎ ﻓﻲ ﺫﻟﻚ ﻭﺳﺎﺉﻞﺣﻤﺎﻳﺔ‬‫ﺍﻟﺨﺼﻮﺻﻴﺔﺍﻟﺸﺨﺼﻴﺔﻭﻣﻌﻠﻮﻣﺎﺕ ﺍﻟﻤﻠﻜﻴﺔ‪.‬‬
‫‪ * -‬ﻻﻳﺠﺐ ﺇﺗﺎﺣﺔ ﺟﻤﻴﻊ ﺍﻟﺒﻴﺎﻧﺎﺕ ﺍﻟﻤﻤﻠﻮﻛﺔ ﻟﻠﺸﺮﻛﺔ ﻟﻠﺠﻤﻬﻮﺭ‬
‫ ﻳﻤﻜﻦﺃﻥ ﻳﻜﻮﻥ ﺍﻟﻔﺸﻞ ﻓﻲ ﺣﻤﺎﻳﺔ ﺳﺮﻳﺔ ﺍﻟﺒﻴﺎﻧﺎﺕ ﻛﺎﺭﺛﻴﺎً ﻟﻠﻤﺆﺳﺴﺔ‪:‬‬‫ ﻧﺸﺮﺍﻟﻤﻌﻠﻮﻣﺎﺕ ﺍﻟﺼﺤﻴﺔ ﺍﻟﻤﺤﻤﻴﺔ )‪ (PHI‬ﺑﻴﻦﻃﺒﻴﺐﻭﻣﺮﻳﺾ‬‫ ﻧﺸﺮﺍﻟﻤﻌﻠﻮﻣﺎﺕ ﺍﻟﻤﺎﻟﻴﺔ ﺍﻟﻤﺤﻤﻴﺔ )‪ (PFI‬ﺑﻴﻦﺑﻨﻚﻭﻋﻤﻴﻞ‬‫‪ -‬ﻧﺸﺮﻣﻌﻠﻮﻣﺎﺕ ﻣﻬﻤﺔ ﻟﻸﻋﻤﺎﻝﻝﺷﺮﻛﺔ ﻣﻨﺎﻓﺴﺔ‬
What Is Confidentiality? Cont.
 Only authorized users should gain access to information.
 Information must be protected when it is used, shared,
transmitted, and stored.
 Information must be protected from unauthorized users
both internally and externally.
 Information must be protected whether it is in digital or
paper format.
‫ﻣﺎﻫﻲ ﺍﻟﺴﺮﻳﺔ؟ ﺗﺎﺑﻊ‬
‫‪-‬ﻓﻘﻂﺍﻟﻤﺴﺘﺨﺪﻣﻴﻦ ﺍﻟﻤﺼﺮﺡ ﻟﻬﻢﻳﺠﺐﺍﻟﻮﺻﻮﻝ ﺇﻟﻰ ﺍﻟﻤﻌﻠﻮﻣﺎﺕ‪.‬‬
‫ ﻣﻌﻠﻮﻣﺔﻻ ﺑﺪ ﻭﺃﻥﻣﺤﻤﻲﻋﻨﺪﻣﺎ ﻳﻜﻮﻥﻣﺴﺘﺨﺪﻡﻭﻣﺸﺘﺮﻙﻭ ﺃﺣﺎﻝ‪ ،‬ﻭ‬‫ﻣﺨﺰﻥ‪.‬‬
‫ ﻣﻌﻠﻮﻣﺔﻻ ﺑﺪ ﻭﺃﻥﻣﺤﻤﻲﻣﻦﺍﻟﻤﺴﺘﺨﺪﻣﻴﻦ ﻏﻴﺮ ﺍﻟﻤﺼﺮﺡ ﻟﻬﻢ ﻛﻼﻫﻤﺎ‬‫ﺩﺍﺧﻠﻴﺎﻭﺧﺎﺭﺟﻴﺎ‪.‬‬
‫‪ -‬ﻣﻌﻠﻮﻣﺔﻻ ﺑﺪ ﻭﺃﻥﻣﺤﻤﻲﺳﻮﺍء ﻛﺎﻥ ﻓﻲﺭﻗﻤﻲﺃﻭ ﺗﻨﺴﻴﻖ ﺍﻟﻮﺭﻕ‪.‬‬
What Is Confidentiality? Cont.
 The threats to confidentiality must be identified.
 They include:
1. Hackers and hacktivists

A hacker could break into a computer for monetary gain or demonstrate their
talents. A hacktivist, on the other hand, is someone who is aiming to achieve a
social or political goal by getting access to a computer network and stealing
sensitive data.
2. Shoulder surfing
 Act of looking over someone’s shoulder to see what is displayed on a monitor or
device.
3.
4.
5.
6.
Lack of shredding of paper documents
Malicious Code (Virus, Worms, Trojans)
Unauthorized employee activity
Improper access control
‫ﻣﺎﻫﻲ ﺍﻟﺴﺮﻳﺔ؟ ﺗﺎﺑﻊ‬
‫ ﺍﻝﺍﻟﺘﻬﺪﻳﺪﺍﺕﻝﺳﺮﻳﺔﻳﺠﺐ ﺗﺤﺪﻳﺪﻫﺎ‪.‬‬‫ ﻳﺸﻤﻠﻮﺍ‪:‬‬‫‪.1‬ﻗﺮﺍﺻﻨﺔﻭﺍﻟﻬﺎﻛﺮﺯ‬
‫‪-‬‬
‫ﺃﻫﺎﻛﺮﻳﻤﻜﻦ ﺃﻥ ﻳﻘﺘﺤﻤﻮﺍ ﺟﻬﺎﺯ ﻛﻤﺒﻴﻮﺗﺮ ﻣﻦ ﺃﺟﻞﺗﺤﻘﻴﻖ ﻣﻜﺎﺳﺐ ﻣﺎﻟﻴﺔ ﺃﻭﺇﻇﻬﺎﺭ ﻣﻮﺍﻫﺒﻬﻢ‪ .‬ﺃﺍﻟﻘﺮﺻﻨﺔ‪،‬‬
‫ﻣﻦﻧﺎﺣﻴﺔ ﺃﺧﺮﻯ ‪ ،‬ﻫﻮ ﺍﻟﺸﺨﺺ ﺍﻟﺬﻱ ﻳﻬﺪﻑ ﺇﻟﻰ ﺗﺤﻘﻴﻖ ﺍﺟﺘﻤﺎﻋﻲ ﺃﻭﻫﺪﻑ ﺳﻴﺎﺳﻲ ﻣﻦ ﺧﻼﻝ ﺍﻟﻮﺻﻮﻝ‬
‫ﺇﻟﻰﺷﺒﻜﺔ ﺍﻟﻜﻤﺒﻴﻮﺗﺮ ﻭﺳﺮﻗﺔ ﺍﻟﺒﻴﺎﻧﺎﺕ ﺍﻟﺤﺴﺎﺳﺔ‪.‬‬
‫‪.2‬ﺗﺼﻔﺢ ﺍﻟﻜﺘﻒ‬
‫‪ -‬ﻓﻌﻞﺍﻟﻨﻈﺮ ﻋﻠﻰ ﺷﺨﺺ ﻣﺎﻛﺘﻒ ﻟﻤﻌﺮﻓﺔ ﻣﺎ ﻳﺘﻢ ﻋﺮﺿﻪ ﻋﻠﻰ ﻣﻠﻒﺷﺎﺷﺔ ﺃﻭ ﺟﻬﺎﺯ‪.‬‬
‫‪.3‬ﻋﺪﻡ ﻭﺟﻮﺩ ﺗﻤﺰﻳﻖ ﻟﻠﻮﺛﺎﺉﻖ ﺍﻟﻮﺭﻗﻴﺔ‬
‫‪.4‬ﺍﻟﺸﻔﺮﺓ ﺍﻟﺨﺒﻴﺜﺔ )ﻓﺎﻳﺮﻭﺱﻭ ﺍﻟﺪﻳﺪﺍﻥﻭ ﺣﺼﺎﻥ ﻃﺮﻭﺍﺩﺓ(‬
‫‪.5‬ﻧﺸﺎﻁ ﺍﻟﻤﻮﻇﻒ ﻏﻴﺮ ﺍﻟﻤﺼﺮﺡ ﺑﻪ‬
‫‪.6‬ﺍﻟﺘﺤﻜﻢ ﻓﻲ ﺍﻟﻮﺻﻮﻝ ﻏﻴﺮ ﺍﻟﺴﻠﻴﻢ‬
What Is Confidentiality? Cont.
 The information security goal of confidentiality is to protect
information from unauthorized access and misuse
 The best way to do this is to implement safeguards and
processes that increase the work factor and the chance of
being caught.
 *A spectrum of access controls and protections as well as
ongoing monitoring, testing, and training
‫ﻣﺎﻫﻲ ﺍﻟﺴﺮﻳﺔ؟ ﺗﺎﺑﻊ‬
‫ ﺃﻣﻦﺍﻟﻤﻌﻠﻮﻣﺎﺕﻫﺪﻑ ﺍﻟﺴﺮﻳﺔﻫﻮﺣﻤﺎﻳﺔ ﺍﻟﻤﻌﻠﻮﻣﺎﺕﻣﻦﺩﺧﻮﻝ ﻏﻴﺮ ﻣﺮﺧﺺﻭ‬‫ﺳﻮءﺍﺳﺘﺨﺪﺍﻡ‬
‫ ﺃﻓﻀﻞﻃﺮﻳﻘﺔ ﻟﻠﻘﻴﺎﻡ ﺑﺬﻟﻚ ﻫﻲ ﺍﻟﺘﻨﻔﻴﺬﺍﻟﻀﻤﺎﻧﺎﺕﻭ ﺍﻟﻌﻤﻠﻴﺎﺕﺍﻟﺘﻲ ﺗﺰﻳﺪ‬‫ﻣﻦﻋﺎﻣﻞ ﺍﻟﻌﻤﻞ ﻭﻓﺮﺻﺔ ﺍﻹﻣﺴﺎﻙ ﺑﻬﻢ‪.‬‬
‫ * ﻣﺠﻤﻮﻋﺔﻣﻦ ﺿﻮﺍﺑﻂ ﺍﻟﻮﺻﻮﻝ ﻭﺍﻟﺤﻤﺎﻳﺔ ﺑﺎﻹﺿﺎﻓﺔ ﺇﻟﻰ ﺍﻟﻤﺮﺍﻗﺒﺔ‬‫ﻭﺍﻻﺧﺘﺒﺎﺭﻭﺍﻟﺘﺪﺭﻳﺐ ﺍﻟﻤﺴﺘﻤﺮ‬
What Is Integrity? Cont.
 Integrity is protecting data, processes, or systems from intentional or
accidental unauthorized modification
 Data integrity – A requirement that information and programs are changed
only in a specified and authorized manner
 System integrity – A requirement that a system “performs its intended
function in an unimpaired (‫اق‬G‫ )غير مع‬manner, free from deliberate (‫ )متعمد‬or
inadvertent (‫ )غير متعمد‬unauthorized manipulation of the system
 A business that cannot trust the integrity of its data is a business that cannot
operate
 An attack against data integrity can mean the end of an organization’s
capability to conduct business
‫ﻣﺎﻫﻲ ﺍﻟﻨﺰﺍﻫﺔ؟ ﺗﺎﺑﻊ‬
‫ ﻧﺰﺍﻫﺔﻳﻜﻮﻥﺣﻤﺎﻳﺔﺑﻴﺎﻧﺎﺕﻭ ﺍﻟﻌﻤﻠﻴﺎﺕ‪ ،‬ﺃﻭﺍﻷﻧﻈﻤﺔ ﻣﻦ ﻏﻴﺮ ﻣﺼﺮﺡ ﺑﻪ ﻋﻦ ﻗﺼﺪ ﺃﻭ ﻋﺮﺿﻲ‬‫ﺗﻌﺪﻳﻞ‬
‫ ﺗﻜﺎﻣﻞﺍﻟﺒﻴﺎﻧﺎﺕ‪-‬ﺷﺮﻁ ﺃﻥﻣﻌﻠﻮﻣﺔﻭﺍﻟﺒﺮﺍﻣﺞﻳﺘﻢ ﺗﻐﻴﻴﺮﻫﺎ ﻓﻘﻂ ﻓﻲ ﺃﻣﺤﺪﺩﻭﺑﻄﺮﻳﻘﺔ ﻣﺼﺮﺡ ﺑﻬﺎ‬‫ ﺳﻼﻣﺔﺍﻟﻨﻈﺎﻡ‪-‬ﺷﺮﻁ ﺃﻥ ﺃﻧﻈﺎﻡ”ﻳﺆﺩﻱ ﻭﻇﻴﻔﺘﻪ ﺍﻟﻤﻘﺼﻮﺩﺓ ﺑﻄﺮﻳﻘﺔ ﻏﻴﺮ ﻣﻨﻘﻮﺻﺔ )ﻗﺎ ‪ G‬ﻋﻢ‬‫ﺭﻳﻎ( ‪ ،‬ﺧﺎﻟﻴﺔ ﻣﻦ )ﺩﻣﻌﺘﻢ( ﻣﺘﻌﻤﺪﺓ ﺃﻭ ﻏﻴﺮ ﻣﻘﺼﻮﺩﺓ )ﺩﻣﻌﺘﻢ ﺭﻳﻎ(ﺍﻟﺘﻼﻋﺐ ﻏﻴﺮ ﺍﻟﻤﺼﺮﺡ ﺑﻪ‬
‫ﻟﻠﻨﻈﺎﻡ‬
‫ ﺃﻋﻤﻞﺍﻟﺬﻱ ‪ -‬ﺍﻟﺘﻲﻻ ﻳﻤﻜﻦ ﺍﻟﻮﺛﻮﻕ ﻓﻲ ﺳﻼﻣﺔ ﺍﻟﺒﻴﺎﻧﺎﺕ ﺍﻟﺨﺎﺻﺔ ﺑﻪ ﻫﻮ ﻋﻤﻞﻻ ﺗﺴﺘﻄﻴﻊ ﺍﻟﻌﻤﻞ‬‫‪ -‬ﺍﻥﻫﺠﻮﻡ ﺿﺪ ﺗﻜﺎﻣﻞ ﺍﻟﺒﻴﺎﻧﺎﺕ ﻳﻤﻜﻦ ﺃﻥ ﻳﻌﻨﻲﻧﻬﺎﻳﺔ ﻗﺪﺭﺓ ﺍﻟﻤﻨﻈﻤﺔ ﻋﻠﻰ ﺇﺟﺮﺍء ﺍﻷﻋﻤﺎﻝ‬
What Is Integrity? Cont.
 Threats to data integrity include:
1. Human error
2. Hackers
3. Unauthorized user activity
4. Improper access control
5. Malicious code
6. Interception and alteration of data during transmission
‫ﻣﺎﻫﻲ ﺍﻟﻨﺰﺍﻫﺔ؟ ﺗﺎﺑﻊ‬
‫ ﺍﻟﺘﻬﺪﻳﺪﺍﺕﻟﺘﻜﺎﻣﻞ ﺍﻟﺒﻴﺎﻧﺎﺕ ﻣﺎ ﻳﻠﻲ‪:‬‬‫‪.1‬ﺧﻄﺄ ﺑﺸﺮﻱ‬
‫‪.2‬ﻗﺮﺍﺻﻨﺔ‬
‫‪.3‬ﻧﺸﺎﻁ ﺍﻟﻤﺴﺘﺨﺪﻡ ﻏﻴﺮ ﺍﻟﻤﺼﺮﺡ ﺑﻪ‬
‫‪.4‬ﺍﻟﺘﺤﻜﻢ ﻓﻲ ﺍﻟﻮﺻﻮﻝ ﻏﻴﺮ ﺍﻟﺴﻠﻴﻢ‬
‫‪.5‬ﺍﻟﺘﻌﻠﻴﻤﺎﺕ ﺍﻟﺒﺮﻣﺠﻴﺔ ﺍﻟﺨﺒﻴﺜﺔ‬
‫‪.6‬ﺍﻋﺘﺮﺍﺽ ﻭﺗﻌﺪﻳﻞ ﺍﻟﺒﻴﺎﻧﺎﺕﺃﺛﻨﺎء ﺍﻹﺭﺳﺎﻝ‬
What Is Integrity? Cont.
 Controls that can be deployed to protect data integrity include:
 Access controls:

Encryption

Digital signatures
 Process controls:

Code testing (free from bugs)
 Monitoring controls:

File integrity monitoring

Log analysis
 Behavioral controls:

Separation of duties

Rotation of duties

End user security training
‫ﻣﺎﻫﻲ ﺍﻟﻨﺰﺍﻫﺔ؟ ﺗﺎﺑﻊ‬
‫ ﺿﻮﺍﺑﻂﺍﻟﺘﻲ ﻳﻤﻜﻦ ﻧﺸﺮﻫﺎ ﻟﺤﻤﺎﻳﺔ ﺗﻜﺎﻣﻞ ﺍﻟﺒﻴﺎﻧﺎﺕ ﺗﺸﻤﻞ‪:‬‬‫‬‫ﺿﻮﺍﺑﻂﺍﻟﻮﺻﻮﻝ‪:‬‬
‫‬‫ﺍﻟﺘﺸﻔﻴﺮ‬
‫‬‫ﺍﻟﺘﻮﻗﻴﻌﺎﺕﺍﻟﺮﻗﻤﻴﺔ‬
‫‬‫ﺿﻮﺍﺑﻂﺍﻟﻌﻤﻠﻴﺔ‪:‬‬
‫‪-‬‬
‫‪-‬‬
‫ﺍﺧﺘﺒﺎﺭﺍﻟﻜﻮﺩ )ﺧﺎﻟﻲ ﻣﻦ ﺍﻷﺧﻄﺎء(‬
‫‬‫‪-‬‬
‫ﻣﺮﺍﻗﺒﺔﺳﻼﻣﺔ ﺍﻟﻤﻠﻔﺎﺕ‬
‫ﺗﺤﻠﻴﻞﺍﻟﺴﺠﻞ‬
‫‬‫‪-‬‬
‫ﺍﻟﺘﻨﺎﻭﺏﻋﻠﻰ ﺍﻟﻮﺍﺟﺒﺎﺕ‬
‫ﺿﻮﺍﺑﻂﺍﻟﻤﺮﺍﻗﺒﺔ‪:‬‬
‫‬‫ﺍﻟﻀﻮﺍﺑﻂﺍﻟﺴﻠﻮﻛﻴﺔ‪:‬‬
‫‬‫ﻓﺼﻞﺍﻟﻤﻬﻤﺎﺕ‬
‫ﺗﺪﺭﻳﺐﺃﻣﻦ ﺍﻟﻤﺴﺘﺨﺪﻡ ﺍﻟﻨﻬﺎﺉﻲ‬
What Is Availability?
 Availability is the assurance that the data and systems are accessible
when needed by authorized users
 The Service Level Agreement (SLA) is a type of agreement between a
service provider and a customer that specifically addresses availability of
services. (99.999% uptime)
 *What is the cost of the loss of data availability to the organization?
 *A risk assessment should be conducted to more efficiently protect data
availability.
‫ﻣﺎﻫﻮ ﺍﻟﺘﻮﻓﺮ؟‬
‫ ﺍﻟﺘﻮﻓﺮﻫﻞﺗﻮﻛﻴﺪ ﺃﻥﺑﻴﺎﻧﺎﺕ ﻭﺍﻷﻧﻈﻤﺔ ﻳﻤﻜﻦ ﺍﻟﻮﺻﻮﻝ ﺇﻟﻴﻬﺎ ﻋﻨﺪﻣﺎﺿﺮﻭﺭﻱ ﺑﻮﺍﺳﻄﺔ‬‫ﺍﻟﻤﺴﺘﺨﺪﻣﻴﻦﺍﻟﻤﺼﺮﺡ ﻟﻬﻢ‬
‫ ﺍﻝﺍﺗﻔﺎﻗﻴﺔ ﻣﺴﺘﻮﻯ ﺍﻟﺨﺪﻣﺔ )‪(SLA‬ﻫﻮ ﻧﻮﻉ ﻣﻦﺍﺗﻔﺎﻕ ﺑﻴﻦ ﺃ ﻣﻘﺪﻡ ﺍﻟﺨﺪﻣﺔ ﻭ ﺃﻋﻤﻴﻞ ﺍﻟﺘﻲ‬‫ﺗﺘﻨﺎﻭﻝﻋﻠﻰ ﻭﺟﻪ ﺍﻟﺘﺤﺪﻳﺪ ﺗﻮﺍﻓﺮ‬
‫ﺧﺪﻣﺎﺕ‪ 99.999٪).‬ﺍﻟﺠﻬﻮﺯﻳﺔ(‬
‫ * ﻣﺎﻫﻲ ﺗﻜﻠﻔﺔ ﻓﻘﺪﺍﻥ ﺍﻟﺒﻴﺎﻧﺎﺕ ﺍﻟﻤﺘﺎﺣﺔ ﻟﻠﻤﺆﺳﺴﺔ؟‬‫‪ * -‬ﻳﺠﺐﺇﺟﺮﺍء ﺗﻘﻴﻴﻢ ﻟﻠﻤﺨﺎﻃﺮ ﻣﻦ ﺃﺟﻞ ﺣﻤﺎﻳﺔ ﺗﻮﺍﻓﺮ ﺍﻟﺒﻴﺎﻧﺎﺕ ﺑﺸﻜﻞ ﺃﻛﺜﺮ ﻛﻔﺎءﺓ‪.‬‬
What Is Availability? Cont.
 Threats to data availability include:
1.
Natural disaster
2.
Hardware failures
3.
Programming errors
4.
Human errors
5.
Distributed Denial of Service attacks
6.
Loss of power
7.
Malicious code
8.
Temporary or permanent loss of key personnel
‫ﻣﺎﻫﻮ ﺍﻟﺘﻮﻓﺮ؟ ﺗﺎﺑﻊ‬
‫ ﺍﻟﺘﻬﺪﻳﺪﺍﺕﻟﺘﻮﺍﻓﺮ ﺍﻟﺒﻴﺎﻧﺎﺕ ﻣﺎ ﻳﻠﻲ‪:‬‬‫‪.1‬ﺍﻟﻜﻮﺍﺭﺙ ﺍﻟﻄﺒﻴﻌﻴﺔ‬
‫‪.2‬ﺃﻋﻄﺎﻝ ﺍﻷﺟﻬﺰﺓ‬
‫‪.3‬ﺃﺧﻄﺎء ﺍﻟﺒﺮﻣﺠﺔ‬
‫‪.4‬ﺍﻷﺧﻄﺎء ﺍﻟﺒﺸﺮﻳﺔ‬
‫‪.5‬ﻫﺠﻤﺎﺕ ﺭﻓﺾ ﺍﻟﺨﺪﻣﺔ ﺍﻟﻤﻮﺯﻋﺔ‬
‫‪.6‬ﻓﻘﺪﺍﻥ ﺍﻟﻘﻮﺓ‬
‫‪.7‬ﺍﻟﺘﻌﻠﻴﻤﺎﺕ ﺍﻟﺒﺮﻣﺠﻴﺔ ﺍﻟﺨﺒﻴﺜﺔ‬
‫‪.8‬ﺧﺴﺎﺭﺓ ﻣﺆﻗﺘﺔ ﺃﻭ ﺩﺍﺉﻤﺔ‬
*Ask Yourself about CIA
 What purpose does the CIA Triad serve in information
security?
 What is required for a network professional to ensure the
availability of data or devices?
 If you want to protect the confidentiality of data being
transmitted from an IoT device, which of these strategies
might be a good choice?
‫* ﺍﺳﺄﻝ ﻧﻔﺴﻚ ﻋﻦ ‪CIA‬‬
‫ ﻣﺎﺍﻟﻐﺮﺽ ﺍﻟﺬﻱ ﺗﺨﺪﻣﻪ ‪ CIA Triad‬ﻓﻲ ﺃﻣﻦ ﺍﻟﻤﻌﻠﻮﻣﺎﺕ؟‬‫ ﻣﺎﻫﻮ ﺍﻟﻤﻄﻠﻮﺏ ﻟﻤﺤﺘﺮﻑ ﺍﻟﺸﺒﻜﺔ ﻟﻀﻤﺎﻥ ﺗﻮﻓﺮ ﺍﻟﺒﻴﺎﻧﺎﺕ ﺃﻭ ﺍﻷﺟﻬﺰﺓ؟‬‫ ﺇﺫﺍﻛﻨﺖ ﺗﺮﻏﺐ ﻓﻲ ﺣﻤﺎﻳﺔ ﺳﺮﻳﺔ ﺍﻟﺒﻴﺎﻧﺎﺕ ﺍﻟﺘﻲ ﻳﺘﻢ ﺇﺭﺳﺎﻟﻬﺎ ﻣﻦ ﺟﻬﺎﺯ‬‫ﺇﻧﺘﺮﻧﺖﺍﻷﺷﻴﺎء ‪ ،‬ﻓﺄﻱ ﻣﻦ ﻫﺬﻩ ﺍﻻﺳﺘﺮﺍﺗﻴﺠﻴﺎﺕ ﻗﺪ ﻳﻜﻮﻥ ﺧﻴﺎﺭﺍً ﺟﻴﺪﺍً؟‬
The Five A’s of Information Security
 Supporting the CIA triad of information security are five key
information security principles, commonly known as the Five A’s:
 Accountability
 Assurance
 Authentication
 Authorization
 Accounting
‫ﺍﻟﺨﻤﺴﺔﺃﺳﺎﺗﺬﺓ ﻓﻲ ﺃﻣﻦ ﺍﻟﻤﻌﻠﻮﻣﺎﺕ‬
‫ ﺩﻋﻢﺛﺎﻟﻮﺙ ﻭﻛﺎﻟﺔ ﺍﻟﻤﺨﺎﺑﺮﺍﺕ ﺍﻟﻤﺮﻛﺰﻳﺔ ﻷﻣﻦ ﺍﻟﻤﻌﻠﻮﻣﺎﺕ ﻫﻲﺧﻤﺴﺔ ﺃﻣﻦ‬‫ﺍﻟﻤﻌﻠﻮﻣﺎﺕﺍﻟﺮﺉﻴﺴﻴﺔﻣﺒﺎﺩﺉ‪ ،‬ﻭﺍﻟﻤﻌﺮﻭﻑ ﺑﺎﺳﻢ ﺧﻤﺴﺔ ﺃ‪:‬‬
‫ ﻣﺴﺉﻮﻟﻴﺔ‬‫ ﺗﻮﻛﻴﺪ‬‫ ﺍﻟﻤﺼﺎﺩﻗﺔ‬‫ ﺗﻔﻮﻳﺾ‬‫‪ -‬ﻣﺤﺎﺳﺒﺔ‬
The Five A’s of Information Security Cont.
 Accountability:
 The process of tracing actions to their source
 All actions should be traceable to the person who committed
them.
 Logs should be kept, archived, and secured.
 Intrusion detection systems should be deployed.
 *Computer forensic techniques can be used retroactively.
 *Accountability should be focused on both internal and
external actions.
‫ﺍﻟﺨﻤﺴﺔﺃﺳﺎﺗﺬﺓ ﻣﻦ ﻣﺤﺘﻮﻳﺎﺕ ﺃﻣﻦ ﺍﻟﻤﻌﻠﻮﻣﺎﺕ‪.‬‬
‫ ﻣﺴﺉﻮﻟﻴﺔ‪:‬‬‫ ﺍﻝﻋﻤﻠﻴﺔ ﻝﺇﺟﺮﺍءﺍﺕ ﺍﻟﺘﻌﻘﺐ ﻟﻬﻢﻣﺼﺪﺭ‬‫ ﻳﺠﺐﺃﻥ ﺗﻜﻮﻥ ﺟﻤﻴﻊ ﺍﻹﺟﺮﺍءﺍﺕ ﻗﺎﺑﻠﺔ ﻟﻠﺘﺘﺒﻊ ﺇﻟﻰﺷﺨﺺ ﻣﻦﻣﻠﺘﺰﻡ ﻫﻢ‪.‬‬‫ ﺍﻟﺴﺠﻼﺕﻳﺠﺐ ﺍﻥ ﻳﻜﻮﻥﺃﺑﻘﻰﻭ ﻣﺆﺭﺷﻒ‪ ،‬ﻭﻣﺆﻣﻦ‪.‬‬‫ ﺃﻧﻈﻤﺔﻛﺸﻒ ﺍﻟﺘﺴﻠﻞﻳﺠﺐ ﻧﺸﺮﻫﺎ‪.‬‬‫ * ﻳﻤﻜﻦﺍﺳﺘﺨﺪﺍﻡ ﺗﻘﻨﻴﺎﺕ ﺍﻟﻄﺐ ﺍﻟﺸﺮﻋﻲ ﺍﻟﺤﺎﺳﻮﺑﻲ ﺑﺄﺛﺮ ﺭﺟﻌﻲ‪.‬‬‫‪ * -‬ﻳﺠﺐﺃﻥ ﺗﺮﻛﺰ ﺍﻟﻤﺴﺎءﻟﺔ ﻋﻠﻰ ﻛﻞ ﻣﻦ ﺍﻹﺟﺮﺍءﺍﺕ ﺍﻟﺪﺍﺧﻠﻴﺔ ﻭﺍﻟﺨﺎﺭﺟﻴﺔ‪.‬‬
The Five A’s of Information Security Cont.
 Assurance:
 The processes, policies, and controls used to develop confidence that
security measures are working as intended.
 Security measures (such as: VPN, Antivirus, Backup, Firewall) need to be
designed and tested to ascertain that they are efficient and appropriate
 The knowledge that these measures are certainly efficient is known as
assurance
 *The activities related to assurance include:
 Auditing and monitoring
 Testing
 Reporting
‫ﺍﻟﺨﻤﺴﺔﺃﺳﺎﺗﺬﺓ ﻣﻦ ﻣﺤﺘﻮﻳﺎﺕ ﺃﻣﻦ ﺍﻟﻤﻌﻠﻮﻣﺎﺕ‪.‬‬
‫‪ -‬ﺗﻮﻛﻴﺪ‪:‬‬
‫ ﺍﻝﺍﻟﻌﻤﻠﻴﺎﺕﻭ ﺳﻴﺎﺳﺎﺕ‪ ،‬ﻭﺿﻮﺍﺑﻂ ﺗﺴﺘﺨﺪﻡ ﻟﻠﺘﻄﻮﻳﺮﺛﻘﺔ ﻫﺬﺍ ﺍﻷﻣﻦﻣﻘﺎﺳﺎﺕ ﺗﻌﻤﻞ ﻛـ‬‫ﻣﻨﻮﻱ‪.‬‬
‫ ﺗﺪﺍﺑﻴﺮﺃﻣﻨﻴﺔ)ﻣﺜﻞ‪VPN:‬ﻭ ﻣﻀﺎﺩ ﻟﻠﻔﻴﺮﻭﺳﺎﺕﻭ ﺩﻋﻢﻭ ﺟﺪﺍﺭ ﺍﻟﺤﻤﺎﻳﺔ( ﻳﺠﺐ ﺗﺼﻤﻴﻤﻬﺎ ﻭﺍﺧﺘﺒﺎﺭﻫﺎ‬‫ﻟﻠﺘﺄﻛﺪﻣﻦ ﺃﻧﻬﺎ ﻓﻌﺎﻟﺔ ﻭﻣﻨﺎﺳﺒﺔ‬
‫‪ -‬ﺍﻝﻣﻌﺮﻓﺔﺃﻥ ﻫﺬﻩ ﺍﻟﺘﺪﺍﺑﻴﺮ ﻓﻌﺎﻟﺔ ﺑﺎﻟﺘﺄﻛﻴﺪ ﻳﻌﺮﻑ ﺑﺎﺳﻢ ﺗﻮﻛﻴﺪ‬
‫ * ﺗﺸﻤﻞﺍﻷﻧﺸﻄﺔ ﺍﻟﻤﺘﻌﻠﻘﺔ ﺑﺎﻟﺘﺄﻣﻴﻦ ﻣﺎ ﻳﻠﻲ‪:‬‬‫ ﺍﻟﻤﺮﺍﺟﻌﺔﻭﺍﻟﻤﺮﺍﻗﺒﺔ‬‫‪ -‬ﺍﺧﺘﺒﺎﺭﺍﺕ‬
‫‪ -‬ﺍﻹﺑﻼﻍ‬
The Five A’s of Information Security Cont.
 Authentication:
 Assurance and confirmation of a user’s identity
 Authentication is the cornerstone/basis of most network
security models.
 It is the positive identification of the person or system seeking
access to secured information and/or system.
 Examples of authentication models:
 User ID and password combination
 Tokens
 Biometric devices
‫ﺍﻟﺨﻤﺴﺔﺃﺳﺎﺗﺬﺓ ﻣﻦ ﻣﺤﺘﻮﻳﺎﺕ ﺃﻣﻦ ﺍﻟﻤﻌﻠﻮﻣﺎﺕ‪.‬‬
‫ ﺍﻟﻤﺼﺎﺩﻗﺔ‪:‬‬‫ ﺗﻮﻛﻴﺪ ﻭﺗﺄﻛﻴﺪ ﻣﻦ ﺃﻫﻮﻳﺔ ﺍﻟﻤﺴﺘﺨﺪﻡ‬‫ ﺍﻟﻤﺼﺎﺩﻗﺔﻫﻲ ﺣﺠﺮ ﺍﻟﺰﺍﻭﻳﺔ ‪ /‬ﺍﻷﺳﺎﺱ ﻟﻤﻌﻈﻢ ﻧﻤﺎﺫﺝ ﺃﻣﺎﻥ ﺍﻟﺸﺒﻜﺎﺕ‪.‬‬‫ ﻫﺬﺍﻫﻮ ﺍﻹﻳﺠﺎﺑﻲﺗﻌﺮﻳﻒ ﺍﻟﺘﺎﺑﻊﺷﺨﺺ ﺃﻭﻧﻈﺎﻡ ﺍﻟﺴﻌﻲ ﻟﻠﻮﺻﻮﻝ ﺇﻟﻰ ﺍﻟﻤﻌﻠﻮﻣﺎﺕ‬‫ﻭ ‪ /‬ﺃﻭ ﺍﻟﻨﻈﺎﻡ ﺍﻟﻤﻀﻤﻮﻥ‪.‬‬
‫ ﺃﻣﺜﻠﺔﻋﻠﻰ ﻧﻤﺎﺫﺝ ﺍﻟﻤﺼﺎﺩﻗﺔ‪:‬‬‫ ﻣﻌﺮﻑﺍﻟﻤﺴﺘﺨﺪﻡﻭﻛﻠﻤﺔ ﺍﻟﻤﺮﻭﺭﻣﺰﻳﺞ‬‫‪ -‬ﺍﻟﺮﻣﻮﺯ‬
‫‪ -‬ﺑﺼﻤﺎﺕﺍﻷﺟﻬﺰﺓ‬
The Five A’s of Information Security Cont.
 Authorization:
 Act of granting users or systems actual access to information
resources.
 *Note that the level of access may change based on the user’s
defined access level.
 Examples of access level include the following:
 Read only
 Read and write
 Full
‫ﺍﻟﺨﻤﺴﺔﺃﺳﺎﺗﺬﺓ ﻣﻦ ﻣﺤﺘﻮﻳﺎﺕ ﺃﻣﻦ ﺍﻟﻤﻌﻠﻮﻣﺎﺕ‪.‬‬
‫ ﺗﻔﻮﻳﺾ‪:‬‬‫ ﻓﻌﻞﺍﻝﻣﻨﺢ ﺍﻟﻤﺴﺘﺨﺪﻣﻴﻦ ﺃﻭ ﺃﻧﻈﻤﺔ ﻓﻌﻠﻴﺔﻭﺻﻮﻝ ﻟﻤﺼﺎﺩﺭ ﺍﻟﻤﻌﻠﻮﻣﺎﺕ‪.‬‬‫ * ﻻﺣﻆﺃﻥ ﻣﺴﺘﻮﻯ ﺍﻟﻮﺻﻮﻝ ﻗﺪ ﻳﺘﻐﻴﺮ ﺑﻨﺎء ًﻋﻠﻰ ﻣﺴﺘﻮﻯ ﺍﻟﻮﺻﻮﻝ ﺍﻟﻤﺤﺪﺩ‬‫ﻟﻠﻤﺴﺘﺨﺪﻡ‪.‬‬
‫ ﺗﺘﻀﻤﻦﺃﻣﺜﻠﺔ ﻣﺴﺘﻮﻯ ﺍﻟﻮﺻﻮﻝ ﻣﺎ ﻳﻠﻲ‪:‬‬‫ ﻳﻘﺮﺃﻓﻘﻂ‬‫ ﻳﻘﺮﺃﻭﻳﻜﺘﺐ‬‫‪ -‬ﻣﻤﺘﻠﻰء‬
The Five A’s of Information Security Cont.
 Accounting:
 Defined as the logging of access and usage of resources.
 Keeps track of who accesses what resource, when, and
for how long.
 An example of use:
 Internet café, where users are charged by the minute of
use of the service.
 CIA plus the Five A’s are fundamental objectives and
attributes of an information security program.
‫ﺍﻟﺨﻤﺴﺔﺃﺳﺎﺗﺬﺓ ﻣﻦ ﻣﺤﺘﻮﻳﺎﺕ ﺃﻣﻦ ﺍﻟﻤﻌﻠﻮﻣﺎﺕ‪.‬‬
‫ ﻣﺤﺎﺳﺒﺔ‪:‬‬‫ ﺗﻢﺗﻌﺮﻳﻔﻪ ﻋﻠﻰ ﺃﻧﻪﺗﺴﺠﻴﻞ ﻝﻭﺻﻮﻝ ﻭﺍﻻﺳﺘﺨﺪﺍﻡ ﻝﻣﻮﺍﺭﺩ‪.‬‬‫‪ -‬ﻳﺤﺘﻔﻆﻣﺴﺎﺭﻣﻦ ﻳﺼﻞ ﺇﻟﻰ ﻣﺎﺫﺍﺍﻟﻤﻮﺍﺭﺩﻭﻣﺘﻰ‪ ،‬ﻭﻟﻞﺣﺘﻰ ﻣﺘﻰ‪.‬‬
‫ ﻣﺜﺎﻝﻋﻠﻰ ﺍﻻﺳﺘﺨﺪﺍﻡ‪:‬‬‫ ﻣﻘﻬﻰﺍﻹﻧﺘﺮﻧﺖ ‪ ،‬ﺣﻴﺚ ﻳﺘﻢ ﻓﺮﺽ ﺭﺳﻮﻡ ﻋﻠﻰ ﺍﻟﻤﺴﺘﺨﺪﻣﻴﻦ ﻣﻦ ﻗﺒﻞﺩﻗﻴﻘﺔ‬‫ﻣﻦﺍﺳﺘﺨﺪﺍﻡ ﺍﻟﺨﺪﻣﺔ‪.‬‬
‫ ‪CIA‬ﺑﺎﻹﺿﺎﻓﺔ ﺇﻟﻰﺧﻤﺴﺔ ﺃﻧﻜﻮﻥﺍﻷﻫﺪﺍﻑ ﺍﻷﺳﺎﺳﻴﺔ ﻭ ﺻﻔﺎﺕ ﻣﻦ‬‫ﺑﺮﻧﺎﻣﺞﺃﻣﻦ ﺍﻟﻤﻌﻠﻮﻣﺎﺕ‪.‬‬
Who Is Responsible for CIA?
 Information owner:
 An official with legal or operational authority for specified information.
 The owner of information is the person responsible for the business
use of the information.
 Has the responsibility for ensuring information is protected from
creation through destruction.
 Information custodian:
 Maintain the systems that store, process, and transmit the
information.
‫ﻣﻦﻫﻮ ﺍﻟﻤﺴﺆﻭﻝ ﻋﻦ ﻭﻛﺎﻟﺔ ﺍﻟﻤﺨﺎﺑﺮﺍﺕ ﺍﻟﻤﺮﻛﺰﻳﺔ؟‬
‫‪ -‬ﺻﺎﺣﺐﺍﻟﻤﻌﻠﻮﻣﺎﺕ‪:‬‬
‫‪ -‬ﺍﻥﺭﺳﻤﻲﻣﻊﻗﺎﻧﻮﻧﻲﺃﻭﺍﻟﺘﺸﻐﻴﻞﺳﻠﻄﺔﻣﻌﻠﻮﻣﺎﺕ ﻣﺤﺪﺩﺓ‪.‬‬
‫‪ -‬ﻣﺎﻟﻚﺍﻟﻤﻌﻠﻮﻣﺎﺕ ﻫﻮﺷﺨﺺﻣﺴﺆﻭﻝ ﻋﻦ ﺍﺳﺘﺨﺪﺍﻡ ﺍﻷﻋﻤﺎﻝ ﻟﻠﻤﻌﻠﻮﻣﺎﺕ‪.‬‬
‫‪ -‬ﻟﺪﻳﻪﻣﺴﺆﻭﻟﻴﺔ ﻟﻠﻀﻤﺎﻥﻣﻌﻠﻮﻣﺔ ﻳﻜﻮﻥﻣﺤﻤﻲ ﻣﻦ ﺧﻠﻖ ﺧﻼﻝﺩﻣﺎﺭ‪.‬‬
‫‪ -‬ﺃﻣﻴﻦﺍﻟﻤﻌﻠﻮﻣﺎﺕ‪:‬‬
‫‪ -‬ﺍﻟﺤﻔﺎﻅﻋﻠﻰﺍﻷﻧﻈﻤﺔ ﺍﻟﺬﻱ ‪ -‬ﺍﻟﺘﻲﻣﺤﻞﻭ ﻋﻤﻠﻴﺔ‪ ،‬ﻭﻳﺤﻴﻞ ﺍﻟﻤﻌﻠﻮﻣﺎﺕ‪.‬‬
Information Security Framework
 Security framework‫ هيكل‬is a series of documented processes that define policies and
procedures around the implementation and management of information security
controls.
 *Security framework is a collective term given to guidance on topics related to:
 information systems security
 predominantly regarding the planning
 Implementing
 Managing and auditing of overall information security practices
 Two of the most widely used frameworks are:
 Information Technology and Security Framework by NIST
 Information Security Management System by ISO
‫ﺇﻃﺎﺭﺃﻣﻦ ﺍﻟﻤﻌﻠﻮﻣﺎﺕ‬
‫ ﺇﻃﺎﺭﺍﻷﻣﺎﻥﻟﻜﻴﻪﻫﻮﺳﻠﺴﻠﺔ ﻣﻦﻋﻤﻠﻴﺎﺕ ﻣﻮﺛﻘﺔ ﺍﻟﺘﻲ ﺗﺤﺪﺩﺳﻴﺎﺳﺎﺕ ﻭ ﺇﺟﺮﺍءﺍﺕ ﺣﻮﻝ ﺍﻝﺗﻄﺒﻴﻖ ﻭﺇﺩﺍﺭﺓ ﺃﻣﻦ‬‫ﺍﻟﻤﻌﻠﻮﻣﺎﺕ ﺿﻮﺍﺑﻂ‪.‬‬
‫‪ * -‬ﺇﻃﺎﺭﺍﻟﻌﻤﻞ ﺍﻷﻣﻨﻲ ﻫﻮ ﻣﺼﻄﻠﺢ ﺟﻤﺎﻋﻲ ﻳﻌُﻄﻰ ﻟﻺﺭﺷﺎﺩﺍﺕ ﺣﻮﻝ ﺍﻟﻤﻮﺿﻮﻋﺎﺕ ﺍﻟﻤﺘﻌﻠﻘﺔ ﺑﻤﺎ ﻳﻠﻲ‪:‬‬
‫ ﺃﻣﻦﻧﻈﻢ ﺍﻟﻤﻌﻠﻮﻣﺎﺕ‬‫ ﻓﻲﺍﻟﻐﺎﻟﺐ ﻓﻴﻤﺎ ﻳﺘﻌﻠﻖ ﺑﺎﻟﺘﺨﻄﻴﻂ‬‫ ﺗﻨﻔﻴﺬ‬‫ ﺇﺩﺍﺭﺓﻭﺗﺪﻗﻴﻖ ﻣﻤﺎﺭﺳﺎﺕ ﺃﻣﻦ ﺍﻟﻤﻌﻠﻮﻣﺎﺕ ﺍﻟﺸﺎﻣﻠﺔ‬‫ ﺍﺛﻨﺎﻥﻣﻦ ﺃﻛﺜﺮ ﺍﻷﻃﺮ ﺍﺳﺘﺨﺪﺍﻣﺎً ﻫﻤﺎ‪:‬‬‫ ﺗﻘﻨﻴﺔﺍﻟﻤﻌﻠﻮﻣﺎﺕ ﻭﺇﻃﺎﺭ ﺍﻷﻣﻦﺑﻮﺍﺳﻄﺔﻧﻴﺴﺖ‬‫‪ -‬ﻧﻈﺎﻡﺇﺩﺍﺭﺓ ﺃﻣﻦ ﺍﻟﻤﻌﻠﻮﻣﺎﺕﺑﻮﺍﺳﻄﺔ‪ISO‬‬
NIST Functions
 Founded in 1901
 Non regulatory federal agency
 Its mission is to develop and promote measurement, standards and
technology to enhance productivity, facilitate trade, and improve quality of
life
 NIST defines information security as:
 The protection of information and information systems from
unauthorized access, use, disclosure, disruption, modification, or
destruction in order to provide CIA.
 Published more than 300 information security-related documents including:
 *Federal Information Processing Standards.
 *Special Publication 800 series.
 *ITL bulletins.
‫ﻭﻇﺎﺉﻒ‪NIST‬‬
‫ ﺃﺳﺲﻓﻲ‪1901‬‬‫ ﻏﻴﺮﺗﻨﻈﻴﻤﻲﻭﻛﺎﻟﺔ ﻓﻴﺪﺭﺍﻟﻴﺔ‬‫ ﻣﻬﻤﺘﻬﺎﻫﻲﻳﻄﻮﺭﻭﺗﻌﺰﻳﺰ ﺍﻟﻘﻴﺎﺱﻭﺍﻟﻤﻌﺎﻳﻴﺮﻭ ﺗﻜﻨﻮﻟﻮﺟﻴﺎﻟﺘﻌﺰﻳﺰﺇﻧﺘﺎﺟﻴﺔﻭﺗﺴﻬﻴﻞ ﺍﻟﺘﺠﺎﺭﺓ‪ ،‬ﻭ‬‫ﺗﺤﺴﻴﻦﻧﻮﻋﻴﺔ ﺍﻟﺤﻴﺎﺓ‬
‫‪ -‬ﻧﻴﺴﺖﻳﺤﺪﺩﺃﻣﻦ ﺍﻟﻤﻌﻠﻮﻣﺎﺕ ﻋﻠﻰ ﺍﻟﻨﺤﻮ ﺍﻟﺘﺎﻟﻲ‪:‬‬
‫ ﺣﻤﺎﻳﺔﺍﻟﻤﻌﻠﻮﻣﺎﺕ ﻭﻧﻈﻢ ﺍﻟﻤﻌﻠﻮﻣﺎﺕ ﻣﻦ ﺩﺧﻮﻝ ﻏﻴﺮ ﻣﺮﺧﺺﻭ ﻳﺴﺘﺨﺪﻡﻭ ﺇﻓﺸﺎءﻭ‬‫ﺧﻠﻞﻭ ﺗﻌﺪﻳﻞ‪ ،‬ﺃﻭ ﺩﻣﺎﺭ ﻣﻦ ﺃﺟﻞ ﺗﻘﺪﻳﻢ‪.CIA‬‬
‫ ﻧﺸﺮﺕﺃﻛﺜﺮ ﻣﻦ‪300‬ﻣﺘﻌﻠﻖ ﺑﺄﻣﻦ ﺍﻟﻤﻌﻠﻮﻣﺎﺕﻭﺛﺎﺉﻖﻣﺸﺘﻤﻞ‪:‬‬‫ * ﻣﻌﺎﻳﻴﺮﻣﻌﺎﻟﺠﺔ ﺍﻟﻤﻌﻠﻮﻣﺎﺕ ﺍﻟﻔﻴﺪﺭﺍﻟﻴﺔ‪.‬‬‫ * ﺳﻠﺴﻠﺔﺍﻟﻤﻨﺸﻮﺭﺍﺕ ﺍﻟﺨﺎﺻﺔ ‪.800‬‬‫‪ * -‬ﻧﺸﺮﺍﺕﺳﺠﻞ ﺍﻟﻤﻌﺎﻣﻼﺕ ﺍﻟﺪﻭﻟﻲ‪.‬‬
NIST Functions
 The Computer Security Division (CSD) is one of eight divisions within
NIST’s Information Technology Laboratory
 The mission of NIST’s CSD is to improve information systems security as
follows:
1. By raising awareness of IT risks, vulnerabilities, and protection
requirements, particularly for new and emerging technologies.
2. By researching, studying, and advising agencies of IT vulnerabilities
and devising techniques for the cost-effective security and privacy of
sensitive federal systems.
3. By developing standards, metrics, tests, and validation programs
4. By developing guidance to increase secure IT planning,
implementation, management, and operation.
‫ﻭﻇﺎﺉﻒ‪NIST‬‬
‫ ﺍﻝﻗﺴﻢ ﺃﻣﻦ ﺍﻟﺤﺎﺳﻮﺏ )‪(CSD‬ﻫﻮ ﻭﺍﺣﺪ ﻣﻦﺛﻤﺎﻧﻴﺔﺍﻷﻗﺴﺎﻡ ﺩﺍﺧﻞ ﻣﺨﺘﺒﺮ ﺗﻜﻨﻮﻟﻮﺟﻴﺎ‬‫ﺍﻟﻤﻌﻠﻮﻣﺎﺕ‪NIST‬‬
‫ ﺍﻝﻣﻬﻤﺔﻣﻦ ‪ CSD‬ﺍﻟﺨﺎﺹ ﺑـ ‪ NIST‬ﻫﻮﻳﺤﺴﻦ ﺃﻣﻦ ﻧﻈﻢ ﺍﻟﻤﻌﻠﻮﻣﺎﺕ ﻋﻠﻰ ﺍﻟﻨﺤﻮ ﺍﻟﺘﺎﻟﻲ‪:‬‬‫‪.1‬ﺑﻘﻠﻢﺭﻓﻊ ﺍﻟﻮﻋﻲﻝﻣﺨﺎﻃﺮ ﺗﻜﻨﻮﻟﻮﺟﻴﺎ ﺍﻟﻤﻌﻠﻮﻣﺎﺕﻭ ﻧﻘﺎﻁ ﺍﻟﻀﻌﻒ‪ ،‬ﻭﻣﺘﻄﻠﺒﺎﺕ‬
‫ﺍﻟﺤﻤﺎﻳﺔ‪ ،‬ﺧﺎﺻﺔ ﻝﺟﺪﻳﺪ ﻭﺍﻟﺘﻘﻨﻴﺎﺕ ﺍﻟﻨﺎﺷﺉﺔ‪.‬‬
‫‪.2‬ﺑﻘﻠﻢﺍﻟﺒﺤﺚﻭﺩﺭﺍﺳﺔ‪ ،‬ﻭﺗﻘﺪﻳﻢ ﺍﻟﻤﺸﻮﺭﺓﻭﻛﺎﻻﺕ ﻧﻘﺎﻁ ﺍﻟﻀﻌﻒ ﻓﻲ ﺗﻜﻨﻮﻟﻮﺟﻴﺎ ﺍﻟﻤﻌﻠﻮﻣﺎﺕ ﻭ‬
‫ﺍﺑﺘﻜﺎﺭﺍﻟﺘﻘﻨﻴﺎﺕ ﻟﻸﻣﻦ ﺍﻟﻔﻌﺎﻝ ﻣﻦ ﺣﻴﺚ ﺍﻟﺘﻜﻠﻔﺔ ﻭﺍﻟﺨﺼﻮﺻﻴﺔ ﻟﻸﻧﻈﻤﺔ ﺍﻟﻔﻴﺪﺭﺍﻟﻴﺔ‬
‫ﺍﻟﺤﺴﺎﺳﺔ‪.‬‬
‫‪.3‬ﺑﻘﻠﻢﺍﻟﻨﺎﻣﻴﺔﺍﻟﻤﻌﺎﻳﻴﺮﻭ ﺍﻟﻤﻘﺎﻳﻴﺲﻭ ﺍﻻﺧﺘﺒﺎﺭﺍﺕ‪ ،‬ﻭﺑﺮﺍﻣﺞ ﺍﻟﺘﺤﻘﻖ ﻣﻦ ﺍﻟﺼﺤﺔ‬
‫‪.4‬ﺑﻘﻠﻢﺍﻟﻨﺎﻣﻴﺔﺍﻟﺘﻮﺟﻴﻪ ﻟﺰﻳﺎﺩﺓﺗﺄﻣﻴﻦ ﺗﺨﻄﻴﻂ ﺗﻜﻨﻮﻟﻮﺟﻴﺎ ﺍﻟﻤﻌﻠﻮﻣﺎﺕﻭ ﺗﻄﺒﻴﻖ‬
‫ﻭﺇﺩﺍﺭﺓ‪ ،‬ﻭﻋﻤﻠﻴﺔ‪.‬‬
ISO Functions
 A network of national standards institutes of 146 countries
 Nongovernmental organization that has developed more than
13,000 international standards.
 The ISO/IEC 27000 series represents information security
standards published by ISO and Electro-technical Commission
(IEC)
‫ﻭﻇﺎﺉﻒ‪ISO‬‬
‫ ﺃﺷﺒﻜﺔ ﺍﻟﻮﻃﻨﻴﺔﺍﻟﻤﻌﺎﻳﻴﺮ ﻣﻌﺎﻫﺪ‪ 146‬ﺩﻭﻟﺔ‬‫ ﻣﻨﻈﻤﺔﻏﻴﺮ ﺣﻜﻮﻣﻴﺔﺍﻟﺘﻲ ﻃﻮﺭﺕ ﺃﻛﺜﺮ ﻣﻦ‬‫‪13000‬ﺩﻭﻟﻲﺍﻟﻤﻌﺎﻳﻴﺮ‪.‬‬
‫ ﺍﻝﺳﻠﺴﻠﺔ ‪ISO / IEC 27000‬ﻳﻤﺜﻞﻣﻌﺎﻳﻴﺮ ﺃﻣﻦ ﺍﻟﻤﻌﻠﻮﻣﺎﺕ ﺗﻢ ﻧﺸﺮﻩ ﺑﻮﺍﺳﻄﺔ‬‫‪ ISO‬ﻭ (‪Electro-Technical Commission )IEC‬‬
ISO 27002:2013 series (Code of Practice)
 Comprehensive set of information security recommendations on best practices in
information security.
 ISO 27002:2013 is organized in the following domains:
1. Information security policies (Section 5) – This domain focuses on
information security policy requirements and the need to align policy with
organizational objectives.
2. Organization of Information Security (Section 6) – This domain focuses on
establishing and supporting a management structure to implement and manage
information security within, across, and outside the organization.
3. Human Resources Security Management (Section 7) – This domain focuses
on integrating security into the employee lifecycle, agreements, and training.
Human nature is to be trusting.
4. Asset Management (Section 8) – This domain focuses on developing
classification schema, assigning classification levels, and maintaining accurate
inventories of data and devices.
‫ﺳﻠﺴﻠﺔ‪) ISO 27002: 2013‬ﻣﺪﻭﻧﺔ ﻗﻮﺍﻋﺪ ﺍﻟﻤﻤﺎﺭﺳﺔ(‬
‫ ﻣﺠﻤﻮﻋﺔﺷﺎﻣﻠﺔ ﻣﻦ ﺃﻣﻦ ﺍﻟﻤﻌﻠﻮﻣﺎﺕﺍﻟﺘﻮﺻﻴﺎﺕﻋﻠﻰﺃﻓﻀﻞ ﺍﻟﻤﻤﺎﺭﺳﺎﺕﻓﻲ ﺃﻣﻦ ﺍﻟﻤﻌﻠﻮﻣﺎﺕ‪.‬‬‫ ﺗﻢﺗﻨﻈﻴﻢ ‪ ISO 27002: 2013‬ﻓﻲ ﺍﻟﻤﺠﺎﻻﺕ ﺍﻟﺘﺎﻟﻴﺔ‪:‬‬‫‪.1‬ﺳﻴﺎﺳﺎﺕ ﺃﻣﻦ ﺍﻟﻤﻌﻠﻮﻣﺎﺕ)ﺍﻟﻘﺴﻢ ‪ – (5‬ﻳﺮﻛﺰ ﻫﺬﺍ ﺍﻟﻤﺠﺎﻝ ﻋﻠﻰ ﻣﺘﻄﻠﺒﺎﺕ ﺳﻴﺎﺳﺔ ﺃﻣﻦ‬
‫ﺍﻟﻤﻌﻠﻮﻣﺎﺕﻭﺍﻟﺤﺎﺟﺔ ﺇﻟﻰ ﺫﻟﻚﻣﻮﺍءﻣﺔ ﺍﻟﺴﻴﺎﺳﺔﻣﻊ ﺍﻟﺘﻨﻈﻴﻤﻲﺃﻫﺪﺍﻑ‪.‬‬
‫‪.2‬ﺗﻨﻈﻴﻢ ﺃﻣﻦ ﺍﻟﻤﻌﻠﻮﻣﺎﺕ)ﺍﻟﻘﺴﻢ ‪ – (6‬ﻳﺮﻛﺰ ﻫﺬﺍ ﺍﻟﻤﺠﺎﻝ ﻋﻠﻰ ﺇﻧﺸﺎء ﻭﺩﻋﻢ ﺃﺇﺩﺍﺭﺓﻫﻴﻜﻞ ﻝﻳﻨﻔﺬﻭﺇﺩﺍﺭﺓ ﺃﻣﻦ‬
‫ﺍﻟﻤﻌﻠﻮﻣﺎﺕﺩﺍﺧﻞ ﻭﻋﺒﺮ ﻭﺧﺎﺭﺝ ﺍﻟﻤﻨﻈﻤﺔ‪.‬‬
‫‪.3‬ﺇﺩﺍﺭﺓ ﺃﻣﻦ ﺍﻟﻤﻮﺍﺭﺩ ﺍﻟﺒﺸﺮﻳﺔ)ﺍﻟﻘﺴﻢ ‪ – (7‬ﻳﺮﻛﺰ ﻫﺬﺍ ﺍﻟﻤﺠﺎﻝ ﻋﻠﻰ ﺩﻣﺞ ﺍﻷﻣﻦ ﻓﻲﺩﻭﺭﺓ ﺣﻴﺎﺓ ﺍﻟﻤﻮﻇﻒﻭ‬
‫ﺍﻻﺗﻔﺎﻗﺎﺕﻭﺍﻟﺘﺪﺭﻳﺐ‪ .‬ﺍﻟﻄﺒﻴﻌﺔ ﺍﻟﺒﺸﺮﻳﺔ ﻫﻲ ﺍﻟﺜﻘﺔ‪.‬‬
‫‪.4‬ﺇﺩﺍﺭﺓ ﺍﻷﺻﻮﻝ)ﺍﻟﻘﺴﻢ ‪ – (8‬ﻳﺮﻛﺰ ﻫﺬﺍ ﺍﻟﻤﺠﺎﻝ ﻋﻠﻰ ﺍﻟﺘﻄﻮﻳﺮ ﺗﺼﻨﻴﻒﺍﻟﻤﺨﻄﻂ ‪ ،‬ﻭﺗﻌﻴﻴﻦ ﻣﺴﺘﻮﻳﺎﺕ‬
‫ﺍﻟﺘﺼﻨﻴﻒ ‪،‬ﻭﺍﻟﺤﻔﺎﻅ ﻋﻠﻰ ﻗﻮﺍﺉﻢ ﺟﺮﺩ ﺩﻗﻴﻘﺔ ﻟـﺑﻴﺎﻧﺎﺕﻭﺍﻷﺟﻬﺰﺓ‪.‬‬
ISO 27002:2013 series (Code of Practice)
5. Access Control (Section 9) – This domain focuses on managing authorized
access and preventing unauthorized access to information systems and extends
to remote locations, home offices, and mobile access
6. Cryptography (Section 10) – This domain was added in the 2013 update and it
focuses on proper and effective use of cryptography to protect the CIA of
information.
7. Physical and Environmental Security (Section 11) – This domain focuses on
designing and maintaining a secure physical environment to prevent
unauthorized access, damage, and interference to business premises.
8. Operations Security (Section 12) – This domain focuses on data centre
operations, integrity of operations, vulnerability management, protection against
data loss, and evidence-based logging.
‫ﺳﻠﺴﻠﺔ‪) ISO 27002: 2013‬ﻣﺪﻭﻧﺔ ﻗﻮﺍﻋﺪ ﺍﻟﻤﻤﺎﺭﺳﺔ(‬
‫‪.5‬ﺍﻟﺘﺤﻜﻢ ﻓﻲ ﺍﻟﻮﺻﻮﻝ)ﺍﻟﻘﺴﻢ ‪ – (9‬ﻳﺮﻛﺰ ﻫﺬﺍ ﺍﻟﻤﺠﺎﻝ ﻋﻠﻰ ﺍﻹﺩﺍﺭﺓﻣﺨﻮﻝ ﺍﻟﻮﺻﻮﻝ ﻭﺍﻟﻤﻨﻊﻏﻴﺮ ﻣﺼﺮﺡ‬
‫ﺍﻟﻮﺻﻮﻝﺇﻟﻰ ﺃﻧﻈﻤﺔ ﺍﻟﻤﻌﻠﻮﻣﺎﺕ ﻭﻳﻤﺘﺪ ﺇﻟﻰ ﺍﻟﻤﻮﺍﻗﻊ ﺍﻟﺒﻌﻴﺪﺓ ﻭﺍﻟﻤﻜﺎﺗﺐ ﺍﻟﻤﻨﺰﻟﻴﺔ ﻭﺍﻟﻮﺻﻮﻝ ﺍﻟﻤﺤﻤﻮﻝ‬
‫‪.6‬ﺍﻟﺘﺸﻔﻴﺮ)ﺍﻟﻘﺴﻢ ‪ – (10‬ﺗﻤﺖ ﺇﺿﺎﻓﺔ ﻫﺬﺍ ﺍﻟﻤﺠﺎﻝ ﻓﻲ ﺗﺤﺪﻳﺚ ‪ 2013‬ﻭﻳﺮﻛﺰ ﻋﻠﻰ ﺍﻻﺳﺘﺨﺪﺍﻡ ﺍﻟﺴﻠﻴﻢ‬
‫ﻭﺍﻟﻔﻌﺎﻝﻟـﺍﻟﺘﺸﻔﻴﺮﻟﺤﻤﺎﻳﺔ ﺍﻟﻤﻌﻠﻮﻣﺎﺕ ﻣﻦ ﻭﻛﺎﻟﺔ ﺍﻟﻤﺨﺎﺑﺮﺍﺕ ﺍﻟﻤﺮﻛﺰﻳﺔ‪.‬‬
‫‪.7‬ﺍﻷﻣﻦ ﺍﻟﻤﺎﺩﻱ ﻭﺍﻟﺒﻴﺉﻲ)ﺍﻟﻘﺴﻢ ‪ – (11‬ﻳﺮﻛﺰ ﻫﺬﺍ ﺍﻟﻤﺠﺎﻝ ﻋﻠﻰ ﺗﺼﻤﻴﻢﻭﺍﻟﻤﺤﺎﻓﻈﺔﺃﻳﺆﻣﻦﺑﻴﺉﺔ ﻓﻴﺰﻳﺎﺉﻴﺔ‬
‫ﻟﻤﻨﻊﺍﻟﻮﺻﻮﻝ ﻏﻴﺮ ﺍﻟﻤﺼﺮﺡ ﺑﻪ ﻭﺍﻟﺘﻠﻒ ﻭﺍﻟﺘﺪﺧﻞ ﻓﻲ ﺃﻣﺎﻛﻦ ﺍﻟﻌﻤﻞ‪.‬‬
‫‪.8‬ﺃﻣﻦ ﺍﻟﻌﻤﻠﻴﺎﺕ)ﺍﻟﻘﺴﻢ ‪ – (12‬ﻳﺮﻛﺰ ﻫﺬﺍ ﺍﻟﻤﺠﺎﻝ ﻋﻠﻰ ﻋﻤﻠﻴﺎﺕ ﻣﺮﻛﺰ ﺍﻟﺒﻴﺎﻧﺎﺕ ‪ ،‬ﻭﺳﻼﻣﺔ ﺍﻟﻌﻤﻠﻴﺎﺕ ‪،‬ﺇﺩﺍﺭﺓ‬
‫ﺍﻟﻀﻌﻒﻭﺍﻟﺤﻤﺎﻳﺔ ﻣﻦ ﻓﻘﺪﺍﻥ ﺍﻟﺒﻴﺎﻧﺎﺕ‪ ،‬ﻭﺍﻟﺘﺴﺠﻴﻞ ﺍﻟﻘﺎﺉﻢ ﻋﻠﻰ ﺍﻷﺩﻟﺔ‪.‬‬
ISO 27002:2013 series (Code of Practice)
9. Communications Security (Section 13) – This domain focuses on the protection
of information in transit
10. Information Systems Acquisition, Development, and Maintenance (Section 14)
– This domain focuses on the security requirements of information systems,
applications, and code from conception to destruction.
11. Supplier Relationships (Section 15) – This domain was added in the 2013 update.
The domain focuses on service delivery, third-party security requirements,
contractual obligations, and oversight.
12. Information Security Incident Management (Section 16) – This domain focuses
on a consistent and effective approach to the management of information security
incidents, including detection, reporting, response, escalation, and forensic
practices
‫ﺳﻠﺴﻠﺔ‪) ISO 27002: 2013‬ﻣﺪﻭﻧﺔ ﻗﻮﺍﻋﺪ ﺍﻟﻤﻤﺎﺭﺳﺔ(‬
‫‪.9‬ﺃﻣﻦ ﺍﻻﺗﺼﺎﻻﺕ)ﺍﻟﻘﺴﻢ ‪ – (13‬ﻳﺮﻛﺰ ﻫﺬﺍ ﺍﻟﻤﺠﺎﻝ ﻋﻠﻰ ﺣﻤﺎﻳﺔ ﺍﻟﻤﻌﻠﻮﻣﺎﺕ ﻓﻲﻋﺒﻮﺭ‬
‫‪.10‬ﺍﻗﺘﻨﺎء ﻧﻈﻢ ﺍﻟﻤﻌﻠﻮﻣﺎﺕ ﻭﺗﻄﻮﻳﺮﻫﺎ ﻭﺻﻴﺎﻧﺘﻬﺎ)ﺍﻟﻘﺴﻢ ‪(14‬‬
‫ﻳﺮﻛﺰ ﻫﺬﺍ ﺍﻟﻤﺠﺎﻝ ﻋﻠﻰﻣﺘﻄﻠﺒﺎﺕ ﺍﻷﻣﻦﺍﻟﻤﻌﻠﻮﻣﺎﺕﺍﻷﻧﻈﻤﺔﻭ ﺍﻟﺘﻄﺒﻴﻘﺎﺕ‪ ،‬ﻭﺷﻔﺮﺓ ﻣﻦﺗﺼﻮﺭﻝﺩﻣﺎﺭ‬‫‪.‬‬
‫‪.11‬ﻋﻼﻗﺎﺕ ﺍﻟﻤﻮﺭﺩﻳﻦ)ﺍﻟﻘﺴﻢ ‪ – (15‬ﺗﻤﺖ ﺇﺿﺎﻓﺔ ﻫﺬﺍ ﺍﻟﻤﺠﺎﻝ ﻓﻲ ﺗﺤﺪﻳﺚ ‪ .2013‬ﻳﺮﻛﺰ ﺍﻟﻤﺠﺎﻝ ﻋﻠﻰ ﺗﻘﺪﻳﻢ‬
‫ﺍﻟﺨﺪﻣﺎﺕ ‪،‬ﻃﺮﻑ ﺛﺎﻟﺚﺍﻟﻤﺘﻄﻠﺒﺎﺕ ﺍﻷﻣﻨﻴﺔ ﻭﺍﻻﻟﺘﺰﺍﻣﺎﺕ ﺍﻟﺘﻌﺎﻗﺪﻳﺔ ﻭﺍﻹﺷﺮﺍﻑ‪.‬‬
‫‪.12‬ﺇﺩﺍﺭﺓ ﺣﻮﺍﺩﺙ ﺃﻣﻦ ﺍﻟﻤﻌﻠﻮﻣﺎﺕ)ﺍﻟﻘﺴﻢ ‪ – (16‬ﻳﺮﻛﺰ ﻫﺬﺍ ﺍﻟﻤﺠﺎﻝ ﻋﻠﻰ ﻧﻬﺞ ﻣﺘﺴﻖ ﻭﻓﻌﺎﻝ ﻹﺩﺍﺭﺓﺣﻮﺍﺩﺙ‬
‫ﺃﻣﻦﺍﻟﻤﻌﻠﻮﻣﺎﺕﻭﺑﻤﺎ ﻓﻲ ﺫﻟﻚ ﺍﻟﻜﺸﻒ ﻭﺍﻹﺑﻼﻍ ﻭﺍﻻﺳﺘﺠﺎﺑﺔ ﻭﺍﻟﺘﺼﻌﻴﺪ ﻭﻣﻤﺎﺭﺳﺎﺕ ﺍﻟﻄﺐ ﺍﻟﺸﺮﻋﻲ‬
ISO 27002:2013 series (Code of Practice)
13. Business Continuity (Section 17) – This domain focuses on availability and the secure
provision essential services during a disruption of normal operating conditions.
14. Compliance Management (Section 18) – This domain focuses on conformance with
internal policy; local, national, and international criminal and civil laws; regulatory or
contractual obligations (‫اقدية‬G‫لتع‬GG‫ماتا‬G‫لتزا‬G‫ال‬GG‫ ;)ا‬intellectual property rights (IPR); and copyrights
‫ﺳﻠﺴﻠﺔ‪) ISO 27002: 2013‬ﻣﺪﻭﻧﺔ ﻗﻮﺍﻋﺪ ﺍﻟﻤﻤﺎﺭﺳﺔ(‬
‫‪.13‬ﺍﺳﺘﻤﺮﺍﺭﻳﺔ ﺍﻟﻌﻤﻞ)ﺍﻟﻘﺴﻢ ‪ – (17‬ﻳﺮﻛﺰ ﻫﺬﺍ ﺍﻟﻤﺠﺎﻝ ﻋﻠﻰ ﺍﻟﺘﻮﺍﻓﺮ ﻭﺗﺄﻣﻴﻦ ﺗﻮﻓﻴﺮ ﺍﻟﺨﺪﻣﺎﺕ ﺍﻷﺳﺎﺳﻴﺔ ﺃﺛﻨﺎء ﺃﺧﻠﻞ‬
‫ﻇﺮﻭﻑﺍﻟﺘﺸﻐﻴﻞ ﺍﻟﻌﺎﺩﻳﺔ‪.‬‬
‫‪.14‬ﺇﺩﺍﺭﺓ ﺍﻻﻣﺘﺜﺎﻝ)ﺍﻟﻘﺴﻢ ‪ – (18‬ﻳﺮﻛﺰ ﻫﺬﺍ ﺍﻟﻤﺠﺎﻝ ﻋﻠﻰ ﺍﻟﺘﻮﺍﻓﻖ ﻣﻊ ﺍﻟﺴﻴﺎﺳﺔ ﺍﻟﺪﺍﺧﻠﻴﺔ ؛ ﺍﻟﻤﺤﻠﻴﺔ ﻭﺍﻟﻮﻃﻨﻴﺔ ﻭﺍﻟﺪﻭﻟﻴﺔ‬
‫ﺍﻟﺠﻨﺎﺉﻴﺔﻭﺍﻟﻤﺪﻧﻴﺔﺍﻟﻘﻮﺍﻧﻴﻦ؛ﺗﻨﻈﻴﻤﻲﺃﻭ ﺍﻻﻟﺘﺰﺍﻣﺎﺕ ﺍﻟﺘﻌﺎﻗﺪﻳﺔ)ﺓﻳﺪﻗﺎ ‪ G‬ﻋﺘﻞ ‪ GG‬ﺍﺗﺎﻡ ‪ G‬ﺍﺯﺗﻞ ‪ G‬ﻻ ‪ GG‬ﺍ(؛ﺣﻘﻮﻕ‬
‫ﺍﻟﻤﻠﻜﻴﺔﺍﻟﻔﻜﺮﻳﺔ؛ ﻭ (‪)IPR‬ﺣﻘﻮﻕ ﺍﻟﻨﺸﺮ‬
Summary
 The CIA triad is the blueprint of what assets needs to be
protected to protect the organization.
 Protecting the organization’s information security can seem
vague and too conceptual. Protecting the confidentiality,
integrity, and availability of the data is a concrete way of
saying the same thing.
• Standards such as the ISO 27002 exist to help
organizations better define appropriate ways to protect their
information assets.
‫ﻣﻠﺨﺺ‬
‫ ﺍﻝﺛﺎﻟﻮﺙ ﻭﻛﺎﻟﺔ ﺍﻟﻤﺨﺎﺑﺮﺍﺕ ﺍﻟﻤﺮﻛﺰﻳﺔﻫﻮ ﻣﺨﻄﻂ ﻟﻤﺎ ﻳﺠﺐ ﺣﻤﺎﻳﺔ‬‫ﺍﻷﺻﻮﻝﻟﺤﻤﺎﻳﺔ ﺍﻟﻤﻨﻈﻤﺔ‪.‬‬
‫ ﻗﺪﺗﺒﺪﻭ ﺣﻤﺎﻳﺔ ﺃﻣﻦ ﻣﻌﻠﻮﻣﺎﺕ ﺍﻟﻤﻨﻈﻤﺔ ﻏﺎﻣﻀﺔ ﻭﻣﻔﺎﻫﻴﻤﻴﺔ ﻟﻠﻐﺎﻳﺔ‪ .‬ﺣﻤﺎﻳﺔ‬‫ﺳﺮﻳﺔﻭ ﻧﺰﺍﻫﺔ‪ ،‬ﻭﺍﻟﺘﻮﻓﺮﻣﻦ ﺍﻟﺒﻴﺎﻧﺎﺕ ﻃﺮﻳﻘﺔ ﻣﻠﻤﻮﺳﺔ ﻟﻘﻮﻝ ﻧﻔﺲ ﺍﻟﺸﻲء‪.‬‬
‫• ﻣﻌﺎﻳﻴﺮ ﻣﺜﻞ‪ISO 27002‬ﻣﻮﺟﻮﺩﺓ ﻟﻤﺴﺎﻋﺪﺓ ﺍﻟﻤﻨﻈﻤﺎﺕ ﻋﻠﻰ ﺗﺤﺪﻳﺪ ﺃﻓﻀﻞ‬
‫ﺍﻟﻄﺮﻕﺍﻟﻤﻨﺎﺳﺒﺔ ﻟﺤﻤﺎﻳﺔ ﺃﺻﻮﻝ ﺍﻟﻤﻌﻠﻮﻣﺎﺕ‪.‬‬
Thank
You
‫ﺷﻜﺮ‬
‫ﺃﻧﺖ‬
‫السعودية االلكترونية‬
Bachelor ‫الجامعة‬
of Science in
‫الجامعة السعودية االلكترونية‬
Information Technology
IT476
IT Security and Policies
26/12/2021
‫ﻣﺘﺮﺟﻢ ﻣﻦ ﺍﻹﻧﺠﻠﻴﺰﻳﺔ ﺇﻟﻰ ﺍﻟﻌﺮﺑﻴﺔ ‪www.onlinedoctranslator.com -‬‬
‫ﺑﺮﻧﺎﻣﺞﺍﻷﻣﻦ ﻭﺍﻟﺴﻴﺎﺳﺎﺕ‬
‫ﺍﻟﻤﺒﺎﺩﺉﻭﺍﻟﻤﻤﺎﺭﺳﺎﺕ‬
‫ﺑﻘﻠﻢﺳﺎﺭﻱ ﺳﺘﻴﺮﻥ ﻏﺮﻳﻦ‬
‫ﺗﺤﺪﻳﺚ‪02/2018‬‬
‫ﺍﻟﻔﺼﻞﺍﻟﺮﺍﺑﻊ‪ :‬ﺍﻟﺤﻮﻛﻤﺔ ﻭﺍﻟﻤﺨﺎﻃﺮ‬
‫ﺇﺩﺍﺭﺓ‬
Security Program and Policies
Principles and Practices
by Sari Stern Greene
Updated 02/2018
Chapter 4: Governance and Risk
Management
‫ﺃﻫﺪﺍﻑ‬
‫‬‫‬‫‬‫‬‫‪-‬‬
‫ﺍﺷﺮﺡﺃﻫﻤﻴﺔﺍﻟﺘﻮﺍﻓﻖ ﺍﻻﺳﺘﺮﺍﺗﻴﺠﻲ‬
‫ﺗﻌﻠﻢﻛﻴﻒﺇﺩﺍﺭﺓ ﺳﻴﺎﺳﺎﺕ ﺃﻣﻦ ﺍﻟﻤﻌﻠﻮﻣﺎﺕ‬
‫ﻳﺼﻒﺃﻣﻦ ﺍﻟﻤﻌﻠﻮﻣﺎﺕ‪-‬ﻣﺘﻌﻠﻖ ﺏﺍﻷﺩﻭﺍﺭ ﻭﺍﻟﻤﺴﺆﻭﻟﻴﺎﺕ‬
‫ﺍﻟﺘﻌﺮﻑﻋﻠﻰ ﻣﻜﻮﻧﺎﺕﺇﺩﺍﺭﺓ ﺍﻟﻤﺨﺎﻃﺮ‬
‫ﻳﺨﻠﻖﺍﻟﺴﻴﺎﺳﺎﺕﻣﺘﻌﻠﻖ ﺏﺳﻴﺎﺳﺔ ﺃﻣﻦ ﺍﻟﻤﻌﻠﻮﻣﺎﺕﻭ ﺍﻟﺤﻜﻢ‪ ،‬ﻭ‬
‫ﺇﺩﺍﺭﺓﺍﻟﻤﺨﺎﻃﺮ‬
Objectives





Explain the importance of strategic alignment
Know how to manage information security policies
Describe information security-related roles and responsibilities
Identify the components of risk management
Create polices related to information security policy,
governance, and risk management
‫ﻓﻬﻢﺳﻴﺎﺳﺎﺕ ﺃﻣﻦ ﺍﻟﻤﻌﻠﻮﻣﺎﺕ‬
‫ ﺍﻟﻬﺪﻑﻣﻦﺳﻴﺎﺳﺎﺕ ﺃﻣﻦ ﺍﻟﻤﻌﻠﻮﻣﺎﺕﻫﻮﻳﺤﻤﻲﺍﻝ ﻣﻨﻈﻤﺔﻣﻦﺿﺮﺭ‪:‬‬‫‬‫ ﻳﺠﺐﺃﻥ ﺗﻜﻮﻥ ﺍﻟﺴﻴﺎﺳﺎﺕﺃﻳﺪ ﻣﻦ ﻗﺒﻞ ﺍﻹﺩﺍﺭﺓ‬‫ ﻳﻨﺒﻐﻲﻟﻠﺴﻴﺎﺳﺎﺕﻳﺴﺎﻋﺪ ﺷﺮﻛﺎﺕﻣﺤﺎﺫﺍﺓ ﺍﻷﻣﻦ ﻣﻊ ﻣﺘﻄﻠﺒﺎﺕ ﺍﻟﻌﻤﻞ ﻭﺫﺍﺕ‬‫ﺍﻟﺼﻠﺔﺍﻟﻘﻮﺍﻧﻴﻦ ﻭﺃﻧﻈﻤﺔ‬
‫ ‪ISO 27002:2013‬ﻳﻤﻜﻦ ﺃﻥ ﺗﻮﻓﺮ ﺃﻧﻄﺎﻕﻟﻠﺘﻄﻮﻳﺮ ﺍﻟﺴﻴﺎﺳﺎﺕ ﺍﻷﻣﻨﻴﺔ‪.‬‬‫ﻳﺠﺐﺃﻥ ﺗﻜﻮﻥ ﺍﻟﺴﻴﺎﺳﺎﺕﻣﻜﺘﻮﺏ‪.‬‬
Understanding Information Security Policies
 The goal of the information security policies is to protect the
organization from harm:
 Policies should be written.
 Policies should be supported by management
 Policies should help companies align security with business
requirements and relevant laws and regulations
 ISO 27002:2013 can provide a framework for developing
security policies.
‫ﻣﺎﻫﻮ ﺍﻟﻤﻘﺼﻮﺩﺍﻟﺘﻮﺍﻓﻖ ﺍﻻﺳﺘﺮﺍﺗﻴﺠﻲ؟‬
‫ ﻋﻼﺝﻭﻇﺎﺉﻒ ﺍﻷﻣﻦ ﻙﻋﻤﻞ ﻋﺎﻣﻞ ﺗﻤﻜﻴﻦ ﻳﻀﻴﻒ ﻗﻴﻤﺔ‪:‬‬‫• ﻳﺘﻄﻠﺐﻳﻌﺘﺮﻑﺍﻝﻗﻴﻤﺔ ﺃﻣﻦ ﺍﻟﻤﻌﻠﻮﻣﺎﺕﻭ‬
‫• ﻳﺴﺘﺜﻤﺮﻓﻲﺍﻟﻨﺎﺱﻭﺍﻟﻌﻤﻠﻴﺎﺕﻭﻳﻌﺎﻣﻞ ﺍﻷﻣﻦﺑﻨﻔﺲ ﺍﻟﻄﺮﻳﻘﺔ ﻣﺜﻞ ﺃﻱ ﺷﺨﺺ ﺁﺧﺮﻣﺘﻄﻠﺒﺎﺕ‬
‫ﺍﻟﻌﻤﻞ‪.‬‬
‫ ﺍﻻﻋﺘﺮﺍﻑﺑﺄﻥ ﺍﻟﻘﻴﻤﺔ ﺍﻟﺤﻘﻴﻘﻴﺔ ﻟـﺃﻣﻦ ﺍﻟﻤﻌﻠﻮﻣﺎﺕ ﻳﻜﻮﻥﺣﻤﺎﻳﺔ ﺍﻝ ﻋﻤﻞ ﻣﻦﺿﺮﺭ ﻭﺗﺤﻘﻴﻖ‬‫ﺍﻷﻫﺪﺍﻑﺍﻟﺘﻨﻈﻴﻤﻴﺔ‪.‬‬
‫ ﻃﺮﻳﻘﺘﺎﻥﻷﻣﻦ ﺍﻟﻤﻌﻠﻮﻣﺎﺕ‪:‬‬‫ ﻧﻬﺞﻣﻮﺍﺯ‬‫ ﻳﻌﻴﻦّﻣﺴﺆﻭﻟﻴﺔﻟﻜﻮﻧﻬﺎﻳﺆﻣﻦﺍﻟﻰﻗﺴﻢ ﺗﻜﻨﻮﻟﻮﺟﻴﺎ ﺍﻟﻤﻌﻠﻮﻣﺎﺕ‪ ،‬ﻭﺟﻬﺎﺕ ﺍﻟﻨﻈﺮ ﺍﻻﻣﺘﺜﺎﻝ‬‫ﺧﻴﺎﺭﻱﻭﻟﺪﻳﻪ ﻗﺪﺭ ﺿﺉﻴﻞ ﻣﻦ ﺍﻟﻤﺴﺎءﻟﺔ ﺍﻟﺘﻨﻈﻴﻤﻴﺔ ﺃﻭ ﻣﻌﺪﻭﻡ‪.‬‬
‫‪-‬‬
‫ﻧﻬﺞﻣﺘﻜﺎﻣﻞ‬
‫‪ -‬ﺗﺪﺭﻙﺫﻟﻚﺣﻤﺎﻳﺔﻭﻧﺠﺎﺡﻣﺘﺸﺎﺑﻜﺔ )ﻛﺒﺎﺷﺘﻢ(‬
What Is Meant by Strategic Alignment?
 Treating security functions as a business enabler that adds value:
• It requires recognizes the value of information security,
• Invests in people, processes and treats security in the same fashion as
every other business requirement.
 Recognizing that the true value of information security is protecting the
business from harm and achieving organizational objectives.
Two approaches to information security:
 Parallel approach
 Assigns responsibility for being secure to the IT department, views
compliance as optional and has little or no organizational
accountability.
 Integrated approach
 Recognizes that security and success are intertwined (‫)متشابك‬
‫ﺇﺻﺪﺍﺭﺍﺕﺍﻟﻤﺴﺘﺨﺪﻡﺳﻴﺎﺳﺎﺕ ﺃﻣﻦ ﺍﻟﻤﻌﻠﻮﻣﺎﺕ‬
‫ ﺳﻴﺎﺳﺎﺕﻳﻤﻜﻦ ﺃﻥ ﺗﻜﻮﻥ ﺑﻤﺜﺎﺑﺔﻭﺛﺎﺉﻖ ﺍﻟﺘﺪﺭﻳﺲﻟﻠﺘﺄﺛﻴﺮ ﻋﻠﻰ‬‫ﺍﻟﺴﻠﻮﻙ‪.‬‬
‫ ﻳﺠﺐﺗﻄﻮﻳﺮ ﺍﻟﻮﺛﻴﻘﺔ ﻭﺍﻻﺗﻔﺎﻗﻴﺔ ﺍﻟﻤﻘﺎﺑﻠﺔ ﺧﺼﻴﺼﺎً ﻟﺘﻮﺯﻳﻌﻬﺎ ﻋﻠﻰﻣﺠﺘﻤﻊ‬‫ﺍﻟﻤﺴﺘﺨﺪﻣﻴﻦ‪.‬‬
‫ ﺳﻴﺎﺳﺔﺍﻻﺳﺘﺨﺪﺍﻡ ﺍﻟﻤﻘﺒﻮﻝ‪:‬‬‫‪-‬‬
‫ﺍﻟﻤﺴﺘﺨﺪﻣﻮﻥﻳﺤﺘﺎﺝ ﺍﻟﻰﻳﻘُﺮّﺃﻧﻬﻢﻳﻔﻬﻢﻫﻢُ ﺍﻟﻤﺴﺆﻭﻟﻴﺎﺕﻭﻳﺘﺄﻛﺪﻫﻢُﺍﻻﻟﺘﺰﺍﻡ ﺍﻟﻔﺮﺩﻱ‬
‫)‪ D‬ﻡ ‪ D‬ﺍﺯﺗﻞ ‪ DD‬ﺍ(‪.‬‬
User Versions of Information Security Policies
 Policies can serve as teaching documents to influence
behavior.
 Document and corresponding agreement should be developed
specifically for distribution to the user community.
 Acceptable Use Policy:
 Users needs to acknowledge that they understand their
responsibilities and confirm their individual commitment (D‫م‬D‫لتزا‬DD‫)ا‬.
‫ﺇﺻﺪﺍﺭﺍﺕﺍﻟﺒﺎﺉﻊﺳﻴﺎﺳﺎﺕ ﺃﻣﻦ ﺍﻟﻤﻌﻠﻮﻣﺎﺕ‬
‫‬‫‬‫‪-‬‬
‫ﺍﻟﺒﺎﻋﺔ)ﻭ ﻏﺎﻟﺒﺎ ﻳﺸﺎﺭ ﻟﻪ \ ﻟﻬﺎ ﺏ “ﺍﻷﻃﺮﺍﻑ ﺍﻟﺜﺎﻟﺜﺔ”( ﺍﻟﺬﻱ ‪ -‬ﺍﻟﺘﻲﻣﺤﻞﻭ ﻋﻤﻠﻴﺔﻭ ﻳﺤﻴﻞ‪ ،‬ﺃﻭ ﻭﺻﻮﻝ‬
‫ﻣﻌﻠﻮﻣﺔﺃﺻﻮﻝ‪.‬‬
‫ﻳﺠﺐﻋﻠﻰ ﺍﻟﺸﺮﻛﺎﺕﺇﻧﺸﺎء ﺇﺻﺪﺍﺭﺍﺕ ﺍﻟﺒﺎﺉﻌﻴﻦﻝﺳﻴﺎﺳﺎﺕ ﺃﻣﻦ ﺍﻟﻤﻌﻠﻮﻣﺎﺕ‪.‬‬
‫ﻳﺠﺐﺃﻥ ﻳﻄُﻠﺐ ﻣﻦ ﺍﻟﺒﺎﺉﻊ ﺃﻥ ﻳﻜﻮﻥ ﻟﺪﻳﻪ ﺿﻮﺍﺑﻂ ﺗﻠﺒﻲ ‪ ،‬ﺃﻭ ﻓﻲ ﺑﻌﺾ ﺍﻟﺤﺎﻻﺕ ‪ ،‬ﻳﺰﻳﺪ ﻋﻦ‬
‫ﺍﻟﻤﺘﻄﻠﺒﺎﺕﺍﻟﺘﻨﻈﻴﻤﻴﺔ‬
‫ * ﻳﺠﺐﺍﻋﺘﻤﺎﺩ ﺍﻟﺴﻴﺎﺳﺎﺕ ﻣﻦ ﻗﺒﻞ ﺍﻹﺩﺍﺭﺓ ﺍﻟﺘﻨﻔﻴﺬﻳﺔ‪.‬‬‫‪ * -‬ﻳﺠﺐﺗﺤﺪﻳﺚ ﺍﻟﺴﻴﺎﺳﺎﺕ ﻋﻠﻰ ﺃﺳﺎﺱ ﻣﻨﺘﻈﻢ‪.‬‬
…