Security Policies Standards and Procedures

• These documents have to exist as a separate entity because they each perform a different specialized function

  • Benefits of separation

    • Not all users need to know the security standards, baselines, guidelines, and procedures for all security classification levels

    • When changes occur, it is easier to update and redistribute only the affected material

Security Policies

• Security policy

  • Top tier of the formalization

  • document that defines the scope of security needed by the organization and discusses the assets that require protection and the extent to which security solutions should go to provide the necessary protection

  • What it does

    • Defines the main security objectives

    • Outlines the security framework of an organization

    • Identifies the major functional areas of data processing

    • Defines all relevant terminology

  • What it is used for

    • To assign responsibilities

    • To define roles

    • Specify audit requirements

    • Outline enforcement processes

    • Indicate compliance requirements

    • Define acceptable risk levels

• Types of Security policies

  • Organizational security policy

    • Focuses on issues relevant to every aspect of an organization

  • Issue-specific security policy

    • Focuses on specific network service, department, function, or other aspect that is distinct from the rest of the organization

  • System-specific security policy

    • Individual systems or types of systems

    • Prescribes approved hardware and software

    • Outlines methods for locking down a system

• Categories of security policies

  • Regulatory policy

    • Required whenever industry or legal standards are applicable

    • Have to be followed and outlines the procedures that should be used to elicit compliance

  • Advisory policy

    • Behaviors and activities that are acceptable and defines consequences of violations

    • Most policies are advisory

  • Informative policy

    • Provide information or knowledge about a specific subject, such as company goals, mission statements, or how the organization interacts with partners and customers

    • Provides support, research or background information

• Acceptable use policy

  • Designed to assign security roles within the organization

  • Ensure the responsibilities tied to those roles

  • Failure to comply with the policy can result in job action warnings, penalties or termination.

Security Standards, Baselines, and Guidelines

• Standards

  • Define compulsory requirements for the use of hardware, software, technology, and security controls

  • Tactical documents that define steps or methods to accomplish the goals

• Baseline

  • Defines a minimum level of security that every system throughout the organization must meet

  • More operationally focused

  • Takes the goals of a security policy and the requirements of the standards and defines them specifically in the baseline as a rule against which to implement and compare IT systems

  • Usually system specific

• Guidelines

  • Offers recommendations on how standards and baselines are implemented

  • Serves as an operational guide for both security professionals and users

  • State which security mechanisms should be deployed instead of prescribing a specific product or control

  • Outline methodologies and include suggested actions

  • Not obligatory

Security Procedures

• Procedure / Standard Operating Procedure (SOP)

  • Detailed, step-by-step how-to document that describes exact actions necessary to implement a specific security mechanism, control, or solution

• Purpose

  • Ensure the integrity of business processes

  • All activities should be in compliance with policies, standards and guidelines

  • Ensure standardization of security across all systems