Ch3 - 3.01 - Intro to Security Policies

Question 1

Security Policy

Answer 1

A security policy is a large document made up of many subdocuments that defines the company’s security strategy. It is a document that defines all the rules in the organization that all personnel need to follow—including users, network administrators, security professionals, and the management team. It is important to note that even the security team in the organization must follow the security policy defined by the organization.

Question 2

Structure of a Policy

Answer 2

1. Overview
2. Scope
3. Policy
4. Enforcement
5. Definitions
6. Revision History

Question 3

Types of Policies

Answer 3

1. Standard Policy
   A standard policy is a policy that needs to be followed and typically covers a specific area of security. Failure to follow a standard policy typically results in disciplinary action such as termination of employment.
2. Guidelines
   Some policies are guidelines, which are recommendations on how to follow security best practices. In the past, the National Security Agency
   (NSA) had published on their web site a number of guidelines on security best practices for different types of servers and operating systems. No disciplinary
   actions result from not following a recommended policy because it is just that—a recommendation.
3. Procedural Policy
   Procedure policy, also known as a standard operating procedure (SOP). The SOP documents step-by-step procedures showing how to configure a system or device, or step-by-step instructions on how to implement a specific security solution.