From the course: ISC2 Certified Information Systems Security Professional (CISSP) (2024) Cert Prep

Security policy framework

From the course: ISC2 Certified Information Systems Security Professional (CISSP) (2024) Cert Prep

Start my 1-month free trial Buy for my team

Security policy framework

- [Instructor] Security professionals do a lot of writing. We need clearly written guidance to help communicate to business leaders and users and each other about security expectations and responsibilities. In some cases, we're setting forth mandatory rules that everyone in the organization must follow, while in other cases we're just giving advice. Each of these roles requires communicating a little bit differently. That's where the security policy framework comes into play. Most security professionals recognize a framework consisting of four different types of documents, policies, standards, procedures, and guidelines. Security policies are the bedrock documents that provide the foundation for an organization's information security program. They're often developed over a long period of time and very carefully written to describe an organization's security expectations. Compliance with policies is mandatory and policies are often approved at the very highest levels of an organization. Because of the rigor involved in developing security policies, authors should try to write them in a way that will stand the test of time. For example, statements like, "All sensitive information must be encrypted with AES-256 encryption," or, "Store all employee records in Room 226," are not good policy statements. What happens if the organization switches encryption technologies or moves its records room? Instead, a policy might make statements like, "Sensitive information must be encrypted both at rest and in transit using technology approved by the IT department, and employee records must be stored in a location approved by human resources." Those statements are much more likely to stand the test of time. Security standards prescribe the specific details of security controls that the organization must follow. Standards derive their authority from policy. In fact, it's likely that an organization's security policy would include specific statements giving the IT department authority to create and enforce standards. Standards are the place to include things like the company's approved encryption protocols, record storage locations, configuration parameters, and other technical and operational details. Even though standards might not go through as rigorous a process as policies, compliance with them is still mandatory. When it comes to complex configuration standards, organizations often draw upon industry benchmarks, such as the secure configuration guides available from the Center for Internet Security. These security baselines provide detailed configuration settings for a wide variety of operating systems, network infrastructure devices, application platforms, web servers, and other components of the IT infrastructure. They provide a great starting point for an organization's security standards. Some organizations simply use them as is, while others adopt these standards with slight customizations, or simply use 'EM as a reference when designing their own custom security standards. Vendors also provide detailed configuration guides for their products that may prove useful. Cybersecurity professionals should consult with the vendors used by their organization to determine what guides are available and appropriate. Security procedures are step-by-step instructions that employees follow when performing a specific security task. For example, the organization might have a procedure for activating the incident response team that involves sending an urgent SMS alert to team members, activating a video conference, and informing senior management. Compliance with procedures is mandatory. Guidelines are where security professionals provide advice to the rest of the organization, including best practices for information security. For example, a guideline might suggest that employees use encrypted wireless networks whenever they are available. There might be situations where a traveling employee doesn't have access to an encrypted network, so they can compensate for that using a VPN connection. Remember, guidelines are advice, compliance with guidelines is not mandatory. When you take the exam, be sure that you keep the differences between policies, standards, procedures, and guidelines straight. Specifically, remember that compliance with policies, standards, and procedures is mandatory, while complying with guidelines is always optional.

Contents