Security Policy Framework : The Begining of Defence

By

Image : Workable Resources 


The security policy provides the framework for multi layered information security of your organisation. It encompasses the vision of your senior management, the regulations applicable to business operations, and guidance to achieve your security goals.

A security policy document establishes a structure to ensure that effective security strategies and controls are in place, roles and responsibilities are assigned, and communicated across the organization,  addressing information and issues.


The security documentation follows a hierarchy, stating from security policies, followed by standards, guidelines and procedures.  The compliance with policies, standards, and procedures is mandatory, guidelines are optional.


Security Policies

Security policies describe the organization’s security goals. They provide an overview of security needs, establish the security scope and define resources required to ensure security.


Security policies are mainly three types: 

Organizational security policies

Issue specific security policies

System specific security policies


This security policy is a strategic plan. It presents the importance of security to the organization and business functions. It defines roles, responsibilities, audit requirements, enforcement procedures, compliance requirements, and acceptable risk levels.


The issue-specific security policy describes distinct security needs, such as email policy, media disposal policy, physical security policy, recruitment and termination policy with reference to organisation security goals.


A system-specific security policy defines approved systems describing hardware and software, and how they are to be protected.


There are three other types of security policies extra to core policies. They are  regulatory, advisory, and informative policies. 


Regulatory policy discusses compliance issues with reference to regulatory frameworks applicable to the organization, such as the Sarbanes-Oxley Act (SOX) for finance firms, and the Health Insurance Portability and Accountability Act (HIPAA) for healthcare organizations, or GDPR  for handling personal data of EU citizens. 


Advisory policy communicates internal standards for behaviors and activities, including consequences of security violations.


Informative policy make employees aware of specific security topic, or background information in support of other security policies. Adherence to policies is mandatory for all employees.


Security Standards

Standards define the methods necessary to achieve the objectives set  by security policies.  While policies are strategic documents, standards are tactical documents  providing a course of action. Compliance with standards is mandatory.


Baselines are standards that define minimum levels of security which all systems should meet. They are often system specific and refer to an industry or government standard.  TCSEC, ITSEC, NIST are such standards.


Security Guidelines

Guidelines are recommendations and suggested actions to help implement standards and baselines. They are flexible and designed to be customized for different situations. Compliance to guidelines is optional.


Security Procedures

Procedures are the lowes layer in the  documentation hierarchy.  They are highly  detailed and provide step-by-srep instruction to perform an activity. 


Procedures provide specific step-by-step instructions for staff how to implement specific security controls correctly.  Detailed instructions for configuring a router, installing antivirus software or sending an encrypted email are example procedures. Compliance with security procedures is mandatory.


With regards to roles and responsibilities:
  • The senior management establishes the overall goals of the organization's information security program.
  • The CISO is responsible for day-to-day security administration.
  • The auditor is responsible for examining systems to see wheather they are meeting stated security requirements.
  • The user is responsible for following security procedures and reporting security problems.

Sample Information security policies from SANS

https://www.sans.org/information-security-policy/


Another 

https://www.allbusinesstemplates.com/template/E93UK/network-protection-and-info-security-policy/


Niranjan Meegammana 

Comments

Post a Comment

Popular posts from this blog

ISO 27001 ISMS in a Nutshell

By
Image
Image : ISO The ISO 27001 certification is the most comprehensive  information security standard recognized globally. It ensures standardizing of your organisation's information security strategies to ensure confidentiality, integrity and availability of your systems and data to conduct your business effectively.  Gaining the certification is a journey with several milestones. It is a carefully planned systematic activity that transforms an organisation to a secure entity,  where everyone becomes a stakeholder in information security. Follow this processes to get to your goal successfully. Step 1. Obtain Management Support . This is the most critical requirement to achieve ISO 27001 status. Your ISMS project will definitely fail if it does not receive to management support. The management should provide, people, money and strategic direction for your ISMS to be a success story. In the sections below you’ll find some tips on how to convince your management, and how much the implemen
Read more

How easily the data breaches occur? 5 ways to be aware of.

By
Image
Data breaches can occur at any unexpected moment. Unless you do not detect it fast, cybercriminals will have more time to exfiltrate information and cause bigger damage. On average it takes up to 30 days and costs $1 million to address a data breach incident stated 2021 Cost of a Data Breach Study. However, it could be more if you wait longer. Unfortunately, some took 6 months to respond.      Better safe than be sorry! Be prepared against data breaches.  There are 5 ways for your organization to avoid data breaches. Here is how. 1. Weak and stolen credentials  The most simplest way hackers use for data breaches is stealing passwords. Many people use predictable passwords like ‘Password1’ and ‘123456’. With them, cybercriminals don't even need to hack into a system to steal your sensitive data.  There are many tools that can help a cybercriminal to crack passwords. They run millions of popular credentials to break into your system. This requires you to have a strong password policy
Read more

Best Practices for secure Software Development

By
Image
image : OpenSense Labs Are you aware of the  Solarwinds attack in 2020? The hackers exploited software vulnerabilities of Orion IT monitoring and management software used by thousands of enterprises and government agencies. This hack triggered a larger scale supply chain incident which affected thousands of organizations, including the U.S. government. The attackers infliltrated the Solarwinds network, and infected the software used for Network monitoring before it shipped to customers.This insident and many more warn us on the importance of building secure software.  Secure software development is a methodology used for creating robust software by incorporating security practices into every stage of the software development life cycle (SDLC). It begins at planning stage before a single line of code is written, and continue through the life cycle. A bug fixing at implementation stage cost six times than fixing it during design stage. Every new feature added, may carry series of vulnera
Read more