From the course: CISSP Cert Prep (2021): 1 Security and Risk Management
Security policy framework
From the course: CISSP Cert Prep (2021): 1 Security and Risk Management
Security policy framework
- [Narrator] Security professionals do a lot of writing. We need clearly written guidance to help communicate to business leaders and users and each other about security expectations and responsibilities. In some cases, we're setting forth mandatory rules that everyone in the organization must follow. Well, in other cases, we're simply giving advice. Each of these roles requires communicating a little bit differently. That's where the security policy framework comes into play. Most security professionals recognize a framework consisting of four different types of document: policies, standards, guidelines and procedures. Security policies are the bedrock documents that provide the foundation for an organization's information security program. They are often developed over a long period of time and are very carefully written to describe an organization's security expectations. Compliance with policies is mandatory, and policies are often approved at the very highest levels of an organization. Because of the rigor involved in developing security policies, authors should strive to write them in a way that will stand the test of time. For example, statements like, all sensitive information must be encrypted with a AES-256 encryption, or store all employee records in Room 226, are not good policy statements. What happens if the organization switches encryption technologies, or moves its records room? Instead, a policy might make statements like, sensitive information must be encrypted both at rest and in transit using technology approved by the IT department, and employee records must be stored in a location approved by human resources. Those statements are much more likely to stand the test of time. Security Standards prescribed the specific details of security controls that the organization must follow. Standards derive their authority from policy. In fact, it's likely that an organization's security policy would include specific statements giving the IT department the authority to create and enforce standards. Standards are placed to include things like the company's approved encryption protocols, records storage locations, configuration parameters, and other technical and operational details. Now, even though standards might not go through as rigorous processes policies, compliance with them is still mandatory. When it comes to complex configuration standards, organizations often draw upon industry benchmarks such as the secure configuration guides, available from the Center for Internet Security. These security standards provide detailed configuration settings for a wide variety of operating systems, network infrastructure devices, application platforms, web servers, and other components of the IT infrastructure. They provide a great starting point for an organization's own security standards. Some organizations use these standards as is, while others adopt these standards with slight customizations or simply use them as a reference when developing their own customized security standards. Vendors also provide detailed configuration guides for their own products that may prove useful. Cybersecurity professionals should consult with the vendors used in their organization, to determine what guides are available and appropriate. Guidelines are where security professionals provide advice to the rest of the organization, including best practices for information security. For example, a guideline might suggest that employees use encrypted wireless networks whenever they are available. There might be situations where a traveling employee doesn't have access to an encrypted network, so they can compensate for that using a VPN connection. Now remember, guidelines are advice. Compliance with guidelines is not mandatory. Procedures are step by step instructions that employees may follow when performing a specific security task. For example, the organization might have a procedure for activating the incident response team that involves sending an urgent text message alert to team members, activating a video conference and informing senior management. Depending upon the organization and the type of procedure, compliance may be mandatory or optional. When you take the exam, be sure that you keep the differences between policies, standards, guidelines and procedures straight. Specifically, remember that compliance with policies and standards is always mandatory. Complying with guidelines is always optional, and compliance with procedures can go either way depending upon the organization and the specific procedure in question.
Download courses and learn on the go
Watch courses on your mobile device without an internet connection. Download courses using your iOS or Android LinkedIn Learning app.