What are the 3 types of security policy?

Table of Contents Show

Why Is Security Policy For An Organization So Important?
What Does A Security Policy For An Organization Consist of
1. Acceptable Encryption and Key Management Policy
2. Data Breach Response Plan
3. Disaster Recovery Plan Policy
Types of Security Policy Characteristics
Audience
Confidentiality, Integrity, and Availability
Data Levels
Example of Computer Security Policy

An organization should define its security plan. Security follows a top-down approach. In other words, the security strategy and scope are discussed, defined, and approved at the top level (top management). After being approved, they are propagated to the middle management, then to the team leaders, and finally to the executives to follow. The mentioned plan and scope must be documented in a set of formalized documents that act as the security bible of the organization. Policies and Procedures will be the subject of today’s article. Have a nice reading.

Types of Security Documentation

The security documents could be:

Policies.
Standards.
Baselines.
Guidelines.
Procedures.

In the following sections, we are going to discuss each type of documents.

The Security Policy
The security policy is a high-level document that defines the organization’s vision concerning security, goals, needs, scope, and responsibilities.

Three main types of policies exist:

Organizational (or Master) Policy.
System-specific Policy.
Issue-specific Policy.

The master security policy can be thought of as a blueprint for the whole organization’s security program. It is the strategic plan for implementing security in the organization.

A System-specific policy is concerned with a specific or individual computer system. It is meant to present the approved software, hardware, and hardening methods for that specific system.

An Issue-specific policy is concerned with a certain functional aspect that may require more attention. For this reason, a separate policy is prepared for that issue to explain with details the required level of security, and the instructions that all staff in the organization must abide by to achieve this level. Examples for this type of policy are:

Change Management Policy.
Physical Security Policy.
Email Policy.
Encryption Policy.
Vulnerability Management Policy.
Media Disposal Policy.
Data Retention Policy.
Acceptable Use Policy.
Access Control Policy.

Once the master policy, the issue-specific policies, and system-specific policies are approved and published, another set of document could be prepared in the light of these high-level policies.

Security Standards
Standards define the obligatory rules, instructions, and/or actions required to realize the goals and objectives set by the top management in the security policies.

Baselines
A baseline specifies the minimum level of security required. All systems in the organization must comply with that minimum. To determine which systems meet the baseline and which don’t, an evaluation must be done on a regular basis, and when major changes are done. Such evaluation could be done either by the organization’s security team or outsourced to a third-party consultant.

Guidelines
Guidelines are practical instructions and recommendations targeting all levels of staff in the organization. These instructions are considered as operational guides on how to apply and enforce the standards and baselines. Guidelines are flexible and not obligatory.

Procedures Procedures are the lowest level in the organization’s security documentation structure.

While a security policy is a high-level document containing general directives, a procedure is a very detailed document that illustrates in step-by-step instructions on how a specific task is done.

Now, let’s assemble all the pieces together to see the complete picture:

The security policy dictates in general words that the organization must maintain a malware-free computer system environment.
A standard states in strict words that every computer in the organization’s network must have an antivirus installed and updated with the latest virus definitions.
A baseline sets the threshold below which a computer will be considered insecure, and above which it will be considered as secure. The baseline could be for example a computer fully-patched, with antivirus installed, having virus definitions not older than 7 days from the latest published definitions from the vendor.
Guidelines could be instructions like:

When you receive an email from an untrusted or unknown sender, don’t open any attachments in the mail.
Use of USB flash memories, hard disks, CD-ROM is prohibited in the organization’s computers.
Don’t attempt to disable or hinder the antivirus operation.

Procedures could be the antivirus installation and configuration steps on network hosts.

Have you seen the complete picture now? Great!

Summary

A security policy is a high-level document that dictates the top management’s security vision, objectives, scope, and responsibilities.
A standard is a set of obligatory rules that support the security policy.
A security baseline is a threshold that all the systems in the organization must comply with.
A guideline is a set of flexible recommendations and best practices.
A procedure is a detailed, step-by-step document that illustrates how to make a specific task.

In the next article, we will knock a new domain in our journey with the CISSP study: Access Control.

I hope you enjoy studying CISSP with us.

Read More: Learn Different types of Security Controls in CISSP

An Information Technology (IT) Security Policy identifies the rules and procedures for all individuals accessing and using an organization's IT assets and resources. Effective IT Security Policy is a model of the organization’s culture, in which rules and procedures are driven from its employees' approach to their information and work. Thus, an effective IT security policy is a unique document for each organization, cultivated from its people’s perspectives on risk tolerance, how they see and value their information, and the resulting availability that they maintain of that information. For this reason, many companies will find a boilerplate IT security policy inappropriate due to its lack of consideration for how the organization’s people actually use and share information among themselves and to the public.

The objectives of an IT security policy is the preservation of confidentiality, integrity, and availability of systems and information used by an organization’s members. These three principles compose the CIA triad:

Confidentiality involves the protection of assets from unauthorized entities
Integrity ensures the modification of assets is handled in a specified and authorized manner
Availability is a state of the system in which authorized users have continuous access to said assets

The IT Security Policy is a living document that is continually updated to adapt with evolving business and IT requirements. Institutions such as the International Organization of Standardization (ISO) and the U.S. National Institute of Standards and Technology (NIST) have published standards and best practices for security policy formation. As stipulated by the National Research Council (NRC), the specifications of any company policy should address:

1. Objectives
2. Scope
3. Specific goals
4. Responsibilities for compliance and actions to be taken in the event of noncompliance.

Also mandatory for every IT security policy are sections dedicated to the adherence to regulations that govern the organization’s industry. Common examples of this include the PCI Data Security Standard and the Basel Accords worldwide, or the Dodd-Frank Wall Street Reform, the Consumer Protection Act, the Health Insurance Portability and Accountability Act, and the Financial Industry Regulatory Authority in the United States. Many of these regulatory entities require a written IT security policy themselves.

An organization’s security policy will play a large role in its decisions and direction, but it should not alter its strategy or mission. Therefore, it is important to write a policy that is drawn from the organization’s existing cultural and structural framework to support the continuity of good productivity and innovation, and not as a generic policy that impedes the organization and its people from meeting its mission and goals.

Every formal organization today has a proper security framework in order to guard its critical information. Informational security is a given requirement with many different types of information security policy existing.

In today’s world, there are hundreds of thousands of organizations and three types of information security policy. Each organization has complex information structures which possess massive amounts of data and the different types of information security policy cater to different threat needs.

Data is king. Data is considered to be the next ‘oil’ of the future. There are several types of security policy networks present today, and the top organizations of the world are taking immense advantage of these networks.

Hence, protecting this data is every organization’s top priority. Information security policy is extremely important to be drafted, and the information security policy draft is usually created before an organization starts operating. With different types of information security policy, there are multiple drafts.

Every organization has different information security policy requirements based on its informational infrastructure and scale. A security policy provides a way to educate every employee in the organization regarding information security.

There are 3 types of information security policies that are highly recommended and the different types of information security policy will be discussed below. Employing these 3 types of information security policies will allow your organization to run smoothly without any hindrances; that is what these 3 types of information security policies do, they provide consistency.

An information security policy, usually referred to as ISP, is a set of rules which are to be followed by every stakeholder of an organization. Mostly, types of information security policy that are directed towards employees and staff encourage organizations to provide their staff with training on different types of information security policy.

A security policy provides a way to safeguard data usage, storage, and transformation. This is done in order to ensure minimum security protocols to be provided to all components, users, databases, and information networks within an organization.

A security policy provides a way how to find network security key on iphone, to protect, insure, and maintain the confidentiality of the upkeep of an information database. And for each threat, there is a need for different types of information security policy.

Why Is Security Policy For An Organization So Important?

Drafting a security policy, for an organization, is an important aim that is to be achieved as soon as possible.

Due to organizations dealing with vast amounts of data, there are often instances of data leaks and data breaches. For an organization, data is the lifeblood of its whole information technology (IT), hence data leaks and data breaches are given the utmost priority which is why there is a dire need for a security policy for an organization.

A security policy for an organization is also important due to the prevalent online vulnerability present in the digital world. A security policy for an organization is the first line of defense available to the organization in protecting itself against unauthorized access and online cyberattacks.

There are certain forms of informational data that require a higher security priority as compared to other forms. A security policy for an organization leads to intellectual property and sensitive data being protected under a higher security preference. Through this case, we observe how there are different types of information security policy in terms of priority and preference.

A security policy for an organization is also important because it is every employees’ right to have his or her data protected by the organization at all costs. Personally identifiable information has to be protected at all costs because it has the personal information of an employee of the organization.

What Does A Security Policy For An Organization Consist of

Usually, the more layers there are to a security policy, the better the security provision is. A security policy provides a way to a reliably functioning information infrastructure of an organization. A security policy for an organization usually consists of:

A document consisting of security measures
User access policies
Established controls, protocols, and security management systems in order to ensure compliance with security measures.
Guidelines and backup plans in case of new threats and security risks
A document that provides awareness to the organization’s employees

Types of information security policy can all be gelled together to create a single security policy for an organization, however, they all should coexist in harmony. Usually, different types of information security policy have different outcomes, hence a security policy for an organization should be thorough yet harmonious with other types of information security policy networks.

These types of information security policy networks will now be discussed.

There are several types of information security policy networks. However, these 3 types of information security policies are most commonly used in the US: Acceptable encryption and key management policy, data breach response policy, and clean desk policy.

1. Acceptable Encryption and Key Management Policy

Amongst these 3 types of information security policies, this is the most commonly used one. Acceptable encryption and key management policy can be found in almost all types of information security policy networks because of the crucial encryption task.

The encryption policy covers a wide spectrum of components which include: information assets and networks.

This one of the three types of information security policy performs the vital task of ensuring that all encryption keys of the respective informational structures are encrypted and secure.

This information security policy enables partial access to employees.

2. Data Breach Response Plan

A data breach response plan is one of the three types of information security policy and is absolutely vital for a company’s information security. It acts as the last line of defense. A data breach response plan is one of the three types of information security policy that paves the way for fighting online hackers, viruses, and threats. Amongst the 3 types of information security policies, this is the second most commonly used types of information security policy.

Every organization should have a data breach response plan in action because it protects vital information from falling into evil hackers’ hands.

A data breach response plan usually consists of information on how to safeguard high-risk and valuable company data such as employee information, financial planning, and information, et cetera.

Amongst these 3 types of information security policies, this is the most vital policy because it enables primary defense capabilities, and a data breach response plan shows how a security policy provides a way to ensure trust and reliability in an organization’s information security infrastructure.

3. Disaster Recovery Plan Policy

Amongst these 3 types of information security policies, this policy is right at the top with the previously discussed types of information security policy in terms of importance and criticality. A disaster recovery plan policy shows how a security policy provides a way to a smoothly running organization.

After a man-made or natural disruption, that causes either system hacks to occur or systems shutting down, the disaster recovery plan policy restores critical technology services immediately. This allows for business and organizational operations to run smoothly.

This policy shows how important these 3 types of information security policies are for an organization because they all enable and ensure a smooth functioning organizational operation

Now that we’ve gone over the types of information security policy, let’s discuss the characteristics of these types of information security policy.

Types of Security Policy Characteristics

A security policy provides a way to a reliable future, full of resolute operating possibilities due to protected data. You should know that a security policy must possess certain characteristics. Various types of information security policy networks fail due to their reluctance in maintaining these characteristics in their policies.

Basically, a security policy provides a way to a successful future for an organization if it contains these types of security policy characteristics.

There are several important security policy characteristics. These types of security policy characteristics are also sometimes referred to as key elements. Some of the most important types of security policy characteristics will be discussed below:

Purpose

This is the first characteristic and serves as the starting point for the types of security policy characteristics.

Various types of information security policy networks have different connotations, however, the purpose statement is relevant to all types of information security policy networks.

A purpose statement of a security policy usually includes:

Information regarding the preservation of ethical, legal, and security requirements.
A security code of conduct for all employees to follow
Types of security policy practices being conducted by the organization
How a security policy provides a way to better outcomes – for each security policy
Types of security policy related plans

Audience

This is one of the most crucial types of security policy characteristics because it filters away irrelevant stakeholders in the organization who do not have any concern with these types of security policy characteristics which are being discussed in this section.

Confidentiality, Integrity, and Availability

One of the most crucial types of security policy characteristics, the CIA combination of a security policy is key for it to be effective in the long term.

The CIA combination encompasses everything that is mandatory to be included in a thorough and proper security policy issuance.

There will be success awaiting an organization if a security policy provides a way to merge confidentiality, integrity, and availability together in a successful manner.

This part of a well-rounded information security policy selects and allocates access responsibility among employees and the various levels present in an organization.

An access control policy allocates roles and responsibilities amongst different levels and employees. Through this process, employees are made aware of what they have to do in alarming situations.

This feature of an information security policy allows employees to be in practice and ready if there is an occurrence of any sort of unfortunate events, such as data leaks or data hacks.

Data Levels

As discussed previously, data have different degrees of importance. Organizations are well aware of these distinctions in terms of importance, hence a good information security policy contains data levels.

Level 1: This information has no protection or filter, and it can be viewed by the general public.
Level 2: Information that is kept confidential by an organization. However, this level of information has a low-security priority because data leaks will not harm the organization.
Level 3: Disclosed information will harm your organization and its people.
Level 4: If disclosed, this level of information will cause critical harm to your organization.
Level 5: disclosed information will cause detrimental harm to your organization and especially its people. These are some of the most futile attacks.

Now let’s discuss an example of computer security policy.

Example of Computer Security Policy

A computer security policy is similar to an organization’s information security policies. The goal is the same: to achieve information security and to secure data as much as possible.

An example of computer security policy is a data breach response plan. The second example of computer security policy can be a disaster recovery plan policy, whereas the third can be acceptable encryption.

As you see, an example of computer security policy can be the same as an example of general online cybersecurity that we have been discussing up till now.

Whenever there is mention of a computer, information and data are mandatory to be included because a computer’s main aim is to process data and regulate it.

Another example of computer security policy can be system-specific security policies.

This example of computer security policy strictly pertains to computers and all intelligent machinery that is being employed by an organization. These instrumental machinery solutions possess tons of information in the form of important data, hence their protection is of the utmost importance to an organization.

This is a crucial example of computer security policymaking: developing a policy that caters to, and protects data on all the mentioned fronts below:

Physical security: A crucial example of computer security policy, this shows us how security is managed at tangible sites of an organization. These spaces usually include offices and buildings. Coincidentally, this is where all computers are placed, hence it is an important example of computer security policy.
Data retention and encryption: This refers to how the company can manage data, what data should be gathered? What data should be released? How can this data be effectively encrypted so that there are fewer chances of data breaches? All of these operations are done through computers.