Security policy frameworks provide information security professionals with clearly written guidance to help communicate to business leaders, end users, and each other about security expectations and responsibilities. In this video, you will learn about security policies, standards, guidelines, and procedures.
- [Instructor] Security professionals do a lot of writing. We need clearly written guidance to help communicate to business leaders, and users, and each other about security expectations and responsibilities. In some cases, we're setting forth mandatory rules that everyone in the organization must follow, while, in other cases, we're simply giving advice. Each of these roles requires communicating a little bit differently. That's where the security policy framework comes into play.
Most security professionals recognize a framework consisting of four different types of documents, policies, standards, guidelines and procedures. Security policies are the bedrock documents that provide the foundation for an organization's information security program. They are often developed over a long period of time and very carefully written to describe an organization's security expectations. Compliance with policies is mandatory, and policies are often approved at the very highest levels of an organization.
Because of the rigor involved in developing security policies, authors should strive to write them in a way that will stand the test of time. For example, statements like, all sensitive information must be encrypted with AES-256 encryption, or, store all employee records in Room 226, are not good policy statements. What happens if the organization switches encryption technologies or moves its records room? You'll need to go through the rigorous policy approval process each time one of those changes takes place.
Instead, a policy might make statements, such as sensitive information must be encrypted both at rest and in transit using technology approved by the IT department, and, employee records must be stored in a location approved by Human Resources. Those statements are much more likely to stand the test of time. Security standards prescribe the specific details of security controls that the organization must follow. Standards derive their authority from policy.
In fact, it's likely that an organization's security policy would include specific statements giving the IT department authority to create and enforce standards. They're the place to include things like the company's approved encryption protocols, record storage locations, configuration parameters, and other technical and operational details. Even though standards might not go through as rigorous a development and approval process as policies, compliance with them is still mandatory.
When it comes to complex configuration standards, organizations often draw upon industry sources, such as the standards available from the Center for Internet Security. These security standards provide detailed configuration settings for a wide variety of operating systems, network devices, application platforms, and other components of the IT infrastructure. They provide a great starting point for an organization's security standards. Some organizations simply use them as-is, while others adopt these standards with slight customizations or simply use them as a reference when developing their own custom security standards.
Guidelines are where security professionals provide advice to the rest of the organization, including best practices for information security. For example, a guideline might suggest that employees use encrypted wireless networks whenever they are available. There might be situations where a traveling employee does not have access to an encrypted network, so they can compensate for that by using a VPN connection. Remember, guidelines are advice. Compliance with guidelines is not mandatory.
Security procedures are step-by-step instructions that employees may follow when performing a specific security task. For example, the organization might have a procedure for activating the Incident Response Team, that involves sending an urgent SMS alert to team members, activating a video conference, and informing senior management. Depending upon the organization and the type of procedure, compliance may be mandatory or optional. When you take the CISSP exam, be sure that you know the differences between policies, standards, guidelines and procedures.
Specifically, remember that compliance with policies and standards is always mandatory. Complying with guidelines is always optional. And compliance with procedures can go either way, depending upon the organization, and the specific procedure in question.
Members who complete this course will be prepared to answer questions on the Security and Risk Management domain of the CISSP exam, and establish a critical foundation for the rest of their careers.
Find the companion study books at the Sybex test prep site and review the complete CISSP Body of Knowledge at https://www.isc2.org/cissp-domains/default.aspx.
- Aligning security with the business
- Using control frameworks
- Understanding compliance ethics
- Implementing effective security policies
- Ensuring the security of employees
- Managing risk
- Identifying threats
- Managing vendors
- Building security awareness and conducting security training