1.7 Develop, Document, and Implement Security Policies, Procedures, Standards, Baselines, and Guidelines. Flashcards
What Group should be in Charge of Designing Security Policies for the Board of Directors and CEO?
Governance Committee. This should include an overarching security policy that aligns with the organizations goals and objectives for the security function.
What are policies in a corporate sense?
Policies are corporate laws that reflect the goals and objectives of an organization. They dictate and communicate management’s intentions.
Why is an overarching security policy critical for an organization?
It sets the tone and helps create the culture necessary for effective organization security to exist.This policy should be consistently communicated, especially from upper managment.
An simple overarching security policy must do what?
Clearly express that the board and CEO are accountable while all everyone in the organization are responsible for security and protecting the value of assets.
Why should an overarching security policy be simple and effective?
To ensure the security function is seen as an enabler and a helper, as opposed to the traditional view of security as an obstacle. [For instance, when a team is told they can’t do something because of security risks]
What should flow from an overarching policy?
Specific funtional security policies.
What makes up a functional security policy?
Standards | Procedures | Baselines | Guidelines
TRUE or FALSE:
Policies need to be reviewed yearly to ensure effectiveness.
FALSE: Policies do not need to be every year, but standards, procedures, baselines, and guidelines may need to be updated regularly.
How do Overarching and Functional Policies Differ? How are functional policies supported?
Overarching policies are a generalized idea of the organizations goals and objectives | Functional policies are unique policies aimed to build upon the goals of the overarching policies | Functional Policies are made up of standards, baselines, procedures, and guideliens to support the goal of the Functional Policy.
Using an Anti-Malware Mandate as an example of a Funcitonal Policy, explain how standards, guidelines, baselines, and procedure can support this functional policy.
A standard can specify the version of anti-malware software to use | a procedure can outline the steps to install it | and a guidelines to suggest ideal goals for anti-malware efforts, such as hueristics in anti-malware software where possible.
What are aspects of a Policy?
Documents that communicate management’s goals and objectives | Provide authority to security activity | Define the elements, functions, and scope of the security team | Must be approved and communicated | Considered corporate law
What are Standards in Relation to Policies?
Specific hardware and software solutions, mechanisms, and products. Includes: Specific anti-virus software, specific access control systems, specific firewalls, and published guidelines adopted as an organization standard.
What are Procedures in Relation to Policies?
Step-by-step instruction on how to perform a task; mandatory actions. Includes: User registration or new hire onboarding, contracting for security purposes, Information system material desctruction, incident response.
What are Baselines in Relation to Policies?
Defined minimal implementation methods/levels for a security mechanism and product. Includes: Configurations for intrusion detection systems and configurations for access controls.
What are Guidelines in Relation to Policies?
Recommended and Suggested actions. Includes: Government recommendations, security configuration recommendations, organization guidelines, and product/sytem evaluation criteria. (Note: Guidelines allow an organization to suggest something be done without making it a hard requirement and thus case a negative audit finding)
