Join Mike Chapple for an in-depth discussion in this video Security policy framework, part of CompTIA Security+ (SY0-501) Cert Prep: 5 Risk Management.
- [Instructor] Security professionals do a lot of writing. We need clearly written guidance to help communicate to business leaders and users and each other about security expectations and responsibilities. In some cases, we're setting forth mandatory rules that everyone in the organization must follow, while, in other cases, we're simply giving advice. Each of these roles requires communicating a little bit differently. That's where the security policy framework comes into play.
Most security professionals recognize a framework consisting of four different types of documents: policies, standards, guidelines, and procedures. Security policies are the bedrock documents that provide the foundation for an organization's information security program. They are often developed over a long period of time and very carefully written to describe an organization's security expectations. Compliance with policies is mandatory, and policies are often approved at the very highest levels of an organization.
Because of the rigor involved in developing security policies, authors should strive to write them in a way that will stand the test of time. For example, statements like all-sensitive information must be encrypted with AES-256 encryption or store all employee records in Room 226 are not good policy statements. What happens if the organization switches encryption technologies or moves its records room? You'll need to go through the rigorous policy approval process each time one of those changes takes place.
Instead, a policy might make statements such as sensitive information must be encrypted both at rest and in transit using technology approved by the IT department, and employee records must be stored in a location approved by human resources. Those statements are much more likely to stand the test of time. Security standards prescribe the specific details of security controls that the organization must follow. Standards derive their authority from policy.
In fact, it's likely that an organization's security policy would include specific statements giving the IT department authority to create and enforce standards. They are the place to include things like the company's approved encryption protocols, record storage locations, configuration parameters, and other technical and operational details. Even though standards might not go through as rigorous a development and approval process as policies, compliance with them is still mandatory.
When it comes to complex configuration standards, organizations often draw up industry sources such as the standards available from the Center for Internet Security. These standards standards provide detailed configuration settings for a wide variety of operating systems, network devices, application platforms, and other components of the IT infrastructure. They provide a great starting point for an organization's security standards. Some organizations simply use them as is, while others adopt these standards with slight customizations or simply use them as a reference when developing their own custom security standards.
Guidelines are where security professionals provide advice to the rest of the organization, including best practices for information security. For example, a guideline might suggest that employees use encrypted wireless networks whenever they are available. There might be situations where a traveling employee does not have access to an encrypted network, so they can compensate for that by using a VPN connection. Remember, guidelines are advice. Compliance with guidelines is not mandatory.
Security procedures are step-by-step constructions that employees may follow when performing a specific security task. For example, the organization might have standard operating procedures that cover a number of security topics, such as assigning user permissions, conducting account management reviews, or performing forensic analysis. A standard operating procedure covering activating the incident response team might prescribe sending an urgent SMS alert to team members, activating a video conference, and informing senior management.
Depending upon the organization and the type of procedure, compliance may be mandatory or optional. When you take the Security Plus Exam, be sure that you know the differences between policies, standards, guidelines, and procedures. Specifically, remember that compliance with policies and standards is always mandatory, complying with guidelines is always optional, and compliance with procedures can go either way, depending upon the organization and the specific procedure in question.
- Security controls and policies
- Risk assessment and management
- Managing vendor relationships
- Social network security
- Security in the hiring process
- Measuring security education
- Business continuity planning and controls
- Preparing for incident response
- Network and software forensics
- Data security policies and roles
- Privacy assessments