Security policy frameworks provide information security professionals with clearly-written guidance to help communicate to business leaders, end users, and each other about security expectations and responsibilities. In this video, learn about security policies, standards, guidelines, and procedures.
- [Instructor] Security professionals do a lot of writing. We need clearly written guidance to help communicate to business leaders and users and each other about security expectations and responsibilities. In some cases, we're setting forth mandatory rules that everyone in the organization must follow. While, in other cases, we're simply giving advice. Each of these roles requires communicating a little bit differently. That's where the security policy framework comes into play.
Most security professionals recognize a framework consisting of four different types of documents: policies, standards, guidelines, and procedures. Security policies are the bedrock documents that provide the foundation for an organization's information security program. They are often developed over a long period of time and very carefully written to describe an organization's security expectations. Compliance with policies is mandatory and policies are often approved at the very highest levels of an organization.
Because of the rigor involved in developing security policies, authors should strive to write them in a way that will stand the test of time. For example, statements like "all sensitive information must be encrypted with AES-256 encryption" or "Store all employee records in room 226" are not good policy statements. What happens if the organization switches encryption technologies or moves its records room? You'll need to go through the rigorous policy approval process each time one of those changes takes place.
Instead, a policy might make statements such as, "sensitive information must be encrypted, both at rest and in transit using technology approved by the IT department" and "employee records must be stored in a location approved by Human Resources". Those statements are much more likely to stand the test of time. Security standards prescribe the specific details of security controls that the organization must follow. Standards derive their authority from policy.
In fact, it's likely that an organization's security policy would include specific statements giving the IT department authority to create and enforce standards. They're the place to include things like the company's approved encryption protocols, record storage locations, configuration parameters, and other technical and operational details. Even though standards might not go through as rigorous a development and approval process as policies, compliance with them is still mandatory.
When it comes to complex configuration standards, organizations often draw upon industry sources, such as the standards available from the Center for Internet Security. These security standards provide detailed configuration settings for a wide variety of operating systems, network devices, application platforms, and other components of the IT infrastructure. They provide a great starting point for an organization's security standards. Some organizations simply use them as-is, while other adopts these standards with slight customizations or simply use them as a reference when developing their own custom security standards.
Guidelines are where security professionals provide advice to the rest of the organization, including best practices for information security. For example, a guideline might suggest that employees use encrypted wireless networks whenever they are available. There might be situations where a traveling employee does not have access to an encrypted network so they can compensate for that by using a VPN connection. Remember, guidelines are advice. Compliance with guidelines is not mandatory.
Security procedures are step-by-step instructions that employees may follow when performing a specific security task. For example, the organization might have a procedure for activating an incident response team that involves sending an urgent SMS alert to team members, activating a video conference, and informing senior management. Depending upon the organization and they type of procedure, compliance may be mandatory or optional. When you take the exam, be sure that you know the differences between policies, standards, guidelines and procedures.
Specifically, remember that compliance with policies and standards is always mandatory. Complying with guidelines is always optional, and compliance with procedures can go either way. It depends on the organization and the specific procedure in question.
Want more CySA+ test prep tips? Visit certmike.com to join Mike's free study group.
- Security governance
- Security roles and responsibilities
- Security policies
- Complying with laws and regulations
- Auditing and assessing security
- Personnel security
- Security training
- Vendor management