Show
An organization should define its security plan. Security follows a top-down approach. In other words, the security strategy and scope are discussed, defined, and approved at the top level (top management). After being approved, they are propagated to the middle management, then to the team leaders, and finally to the executives to follow. The mentioned plan and scope must be documented in a set of formalized documents that act as the security bible of the organization. Policies and Procedures will be the subject of today’s article. Have a nice reading. Types of Security Documentation The security documents could be:
In the following sections, we are going to discuss each type of documents. The Security Policy Three main types of policies exist:
The master security policy can be thought of as a blueprint for the whole organization’s security program. It is the strategic plan for implementing security in the organization. A System-specific policy is concerned with a specific or individual computer system. It is meant to present the approved software, hardware, and hardening methods for that specific system. An Issue-specific policy is concerned with a certain functional aspect that may require more attention. For this reason, a separate policy is prepared for that issue to explain with details the required level of security, and the instructions that all staff in the organization must abide by to achieve this level. Examples for this type of policy are:
Once the master policy, the issue-specific policies, and system-specific policies are approved and published, another set of document could be prepared in the light of these high-level policies. Security Standards Baselines Guidelines Procedures Procedures are the lowest level in the organization’s security documentation structure. While a security policy is a high-level document containing general directives, a procedure is a very detailed document that illustrates in step-by-step instructions on how a specific task is done. Now, let’s assemble all the pieces together to see the complete picture:
Have you seen the complete picture now? Great! Summary
In the next article, we will knock a new domain in our journey with the CISSP study: Access Control. I hope you enjoy studying CISSP with us. Read More: Learn Different types of Security Controls in CISSP
An Information Technology (IT) Security Policy identifies the rules and procedures for all individuals accessing and using an organization's IT assets and resources. Effective IT Security Policy is a model of the organization’s culture, in which rules and procedures are driven from its employees' approach to their information and work. Thus, an effective IT security policy is a unique document for each organization, cultivated from its people’s perspectives on risk tolerance, how they see and value their information, and the resulting availability that they maintain of that information. For this reason, many companies will find a boilerplate IT security policy inappropriate due to its lack of consideration for how the organization’s people actually use and share information among themselves and to the public. The objectives of an IT security policy is the preservation of confidentiality, integrity, and availability of systems and information used by an organization’s members. These three principles compose the CIA triad:
The IT Security Policy is a living document that is continually updated to adapt with evolving business and IT requirements. Institutions such as the International Organization of Standardization (ISO) and the U.S. National Institute of Standards and Technology (NIST) have published standards and best practices for security policy formation. As stipulated by the National Research Council (NRC), the specifications of any company policy should address:
Also mandatory for every IT security policy are sections dedicated to the adherence to regulations that govern the organization’s industry. Common examples of this include the PCI Data Security Standard and the Basel Accords worldwide, or the Dodd-Frank Wall Street Reform, the Consumer Protection Act, the Health Insurance Portability and Accountability Act, and the Financial Industry Regulatory Authority in the United States. Many of these regulatory entities require a written IT security policy themselves. An organization’s security policy will play a large role in its decisions and direction, but it should not alter its strategy or mission. Therefore, it is important to write a policy that is drawn from the organization’s existing cultural and structural framework to support the continuity of good productivity and innovation, and not as a generic policy that impedes the organization and its people from meeting its mission and goals. Every formal organization today has a proper security framework in order to guard its critical information. Informational security is a given requirement with many different types of information security policy existing. In today’s world, there are hundreds of thousands of organizations and three types of information security policy. Each organization has complex information structures which possess massive amounts of data and the different types of information security policy cater to different threat needs. Data is king. Data is considered to be the next ‘oil’ of the future. There are several types of security policy networks present today, and the top organizations of the world are taking immense advantage of these networks. Hence, protecting this data is every organization’s top priority. Information security policy is extremely important to be drafted, and the information security policy draft is usually created before an organization starts operating. With different types of information security policy, there are multiple drafts. Every organization has different information security policy requirements based on its informational infrastructure and scale. A security policy provides a way to educate every employee in the organization regarding information security. There are 3 types of information security policies that are highly recommended and the different types of information security policy will be discussed below. Employing these 3 types of information security policies will allow your organization to run smoothly without any hindrances; that is what these 3 types of information security policies do, they provide consistency. An information security policy, usually referred to as ISP, is a set of rules which are to be followed by every stakeholder of an organization. Mostly, types of information security policy that are directed towards employees and staff encourage organizations to provide their staff with training on different types of information security policy. A security policy provides a way to safeguard data usage, storage, and transformation. This is done in order to ensure minimum security protocols to be provided to all components, users, databases, and information networks within an organization. A security policy provides a way how to find network security key on iphone, to protect, insure, and maintain the confidentiality of the upkeep of an information database. And for each threat, there is a need for different types of information security policy. Why Is Security Policy For An Organization So Important?Drafting a security policy, for an organization, is an important aim that is to be achieved as soon as possible. Due to organizations dealing with vast amounts of data, there are often instances of data leaks and data breaches. For an organization, data is the lifeblood of its whole information technology (IT), hence data leaks and data breaches are given the utmost priority which is why there is a dire need for a security policy for an organization. A security policy for an organization is also important due to the prevalent online vulnerability present in the digital world. A security policy for an organization is the first line of defense available to the organization in protecting itself against unauthorized access and online cyberattacks. There are certain forms of informational data that require a higher security priority as compared to other forms. A security policy for an organization leads to intellectual property and sensitive data being protected under a higher security preference. Through this case, we observe how there are different types of information security policy in terms of priority and preference. A security policy for an organization is also important because it is every employees’ right to have his or her data protected by the organization at all costs. Personally identifiable information has to be protected at all costs because it has the personal information of an employee of the organization. What Does A Security Policy For An Organization Consist ofUsually, the more layers there are to a security policy, the better the security provision is. A security policy provides a way to a reliably functioning information infrastructure of an organization. A security policy for an organization usually consists of:
Types of information security policy can all be gelled together to create a single security policy for an organization, however, they all should coexist in harmony. Usually, different types of information security policy have different outcomes, hence a security policy for an organization should be thorough yet harmonious with other types of information security policy networks. These types of information security policy networks will now be discussed. There are several types of information security policy networks. However, these 3 types of information security policies are most commonly used in the US: Acceptable encryption and key management policy, data breach response policy, and clean desk policy. 1. Acceptable Encryption and Key Management PolicyAmongst these 3 types of information security policies, this is the most commonly used one. Acceptable encryption and key management policy can be found in almost all types of information security policy networks because of the crucial encryption task. The encryption policy covers a wide spectrum of components which include: information assets and networks. This one of the three types of information security policy performs the vital task of ensuring that all encryption keys of the respective informational structures are encrypted and secure. This information security policy enables partial access to employees. 2. Data Breach Response PlanA data breach response plan is one of the three types of information security policy and is absolutely vital for a company’s information security. It acts as the last line of defense. A data breach response plan is one of the three types of information security policy that paves the way for fighting online hackers, viruses, and threats. Amongst the 3 types of information security policies, this is the second most commonly used types of information security policy. Every organization should have a data breach response plan in action because it protects vital information from falling into evil hackers’ hands. A data breach response plan usually consists of information on how to safeguard high-risk and valuable company data such as employee information, financial planning, and information, et cetera. Amongst these 3 types of information security policies, this is the most vital policy because it enables primary defense capabilities, and a data breach response plan shows how a security policy provides a way to ensure trust and reliability in an organization’s information security infrastructure. 3. Disaster Recovery Plan PolicyAmongst these 3 types of information security policies, this policy is right at the top with the previously discussed types of information security policy in terms of importance and criticality. A disaster recovery plan policy shows how a security policy provides a way to a smoothly running organization. After a man-made or natural disruption, that causes either system hacks to occur or systems shutting down, the disaster recovery plan policy restores critical technology services immediately. This allows for business and organizational operations to run smoothly. This policy shows how important these 3 types of information security policies are for an organization because they all enable and ensure a smooth functioning organizational operation Now that we’ve gone over the types of information security policy, let’s discuss the characteristics of these types of information security policy. Types of Security Policy CharacteristicsA security policy provides a way to a reliable future, full of resolute operating possibilities due to protected data. You should know that a security policy must possess certain characteristics. Various types of information security policy networks fail due to their reluctance in maintaining these characteristics in their policies. Basically, a security policy provides a way to a successful future for an organization if it contains these types of security policy characteristics. There are several important security policy characteristics. These types of security policy characteristics are also sometimes referred to as key elements. Some of the most important types of security policy characteristics will be discussed below: PurposeThis is the first characteristic and serves as the starting point for the types of security policy characteristics. Various types of information security policy networks have different connotations, however, the purpose statement is relevant to all types of information security policy networks. A purpose statement of a security policy usually includes:
AudienceThis is one of the most crucial types of security policy characteristics because it filters away irrelevant stakeholders in the organization who do not have any concern with these types of security policy characteristics which are being discussed in this section. Confidentiality, Integrity, and AvailabilityOne of the most crucial types of security policy characteristics, the CIA combination of a security policy is key for it to be effective in the long term. The CIA combination encompasses everything that is mandatory to be included in a thorough and proper security policy issuance. There will be success awaiting an organization if a security policy provides a way to merge confidentiality, integrity, and availability together in a successful manner. This part of a well-rounded information security policy selects and allocates access responsibility among employees and the various levels present in an organization. An access control policy allocates roles and responsibilities amongst different levels and employees. Through this process, employees are made aware of what they have to do in alarming situations. This feature of an information security policy allows employees to be in practice and ready if there is an occurrence of any sort of unfortunate events, such as data leaks or data hacks. Data LevelsAs discussed previously, data have different degrees of importance. Organizations are well aware of these distinctions in terms of importance, hence a good information security policy contains data levels.
Now let’s discuss an example of computer security policy. Example of Computer Security PolicyA computer security policy is similar to an organization’s information security policies. The goal is the same: to achieve information security and to secure data as much as possible. An example of computer security policy is a data breach response plan. The second example of computer security policy can be a disaster recovery plan policy, whereas the third can be acceptable encryption. As you see, an example of computer security policy can be the same as an example of general online cybersecurity that we have been discussing up till now. Whenever there is mention of a computer, information and data are mandatory to be included because a computer’s main aim is to process data and regulate it. Another example of computer security policy can be system-specific security policies. This example of computer security policy strictly pertains to computers and all intelligent machinery that is being employed by an organization. These instrumental machinery solutions possess tons of information in the form of important data, hence their protection is of the utmost importance to an organization. This is a crucial example of computer security policymaking: developing a policy that caters to, and protects data on all the mentioned fronts below:
|