This video covers how changes in business, technology, environment, regulations, and emerging risks shape an organization's security policy.
- [Instructor] Your organizational security policy should be evolving and changing over time. The policy will be shaped by numerous factors including the business model, technology, environment, regulations, and emerging risks. You must consider each of these factors when developing your security policy. Otherwise, you could get blindsided by new problems that you could have anticipated and already been mitigating against. Well some of these factors, like your organizational business model and the technology utilized may be obvious, others like the environment are bit more complex. Now when I talk about the environment, I'm not necessarily referring to the forest or the oceans, but instead to the environment internal and external to your organization.
Your internal environment refers to the culture of your organization. Some organizations are led through a top-down approach where senior management initiates a change, supports it, and directs those changes to take place inside your security program and associated policies. Other organizations have a bottom-up culture, where the staff creates the change and then tries to garner management support. If you're trying to create a security policy in this type of organization, it can add additional challenges during your adoption phase. Now your external environment, on the other hand, refers to the rest of the industry, including your peers and competitors.
The changing landscape of your industry may require changes to your security policy as well. For example as entire industries have shifted their focus and migrated into the Cloud, security policies had to be adapted and changed, as did their business models. Many of these factors are interrelated and can affect each other as well. Because all of these constantly changing factors, it's important to review your security policies often and regularly. For the organizational security policy, a best practice is to conduct at least an annual review.
If a large change occurs prior to the annual review, then add a cycle review can occur. An example of this might be when a new advanced cyber tech method is discovered, causing us to immediately review our security policy and procedures. Developing a policy is a lot of work, but luckily there are numerous frameworks that provide us with standards upon which to build. For example, the International Organization for Standardization and the International Electrotechnical Commission have created the ISO/IEC 27000 series.
This provides us with a list of standards on how to develop and maintain an information security management system, including a good security policy. There are dozens of different standards created under the ISO/ICE 27000 series umbrella. But for the CASP exam you don't need to memorize them all. Just remember that the 27000 series covers many different standards, guidelines, and controls, for just about every aspect of good information systems security management.
- Risk mitigation strategies and controls
- Data security classification
- Extreme scenario and worst-case scenario planning
- Risk management of new products, technologies, and user behaviors
- Business models and strategies
- Third-party outsourcing and security
- Integrating diverse industries
- Security, privacy policies, and procedures in risk management
- Metrics collection and analysis
- Analyzing security solutions