Policies form the foundation of any security program.
Policies define:
How IT will approach security.
How users approach security.
How certain situations will be handled.
Policies - General management rules.
Standards - Specific mandatory controls (based on a given policy).
Guidelines - Recommendation or good practices.
Procedures - Instructions on how to implement a policy or standard.
Overview
Purpose
Scope
Target Audience
Definitions
Version
Implementation Date
Compliance / Exceptions
Policy Statements
Acceptable Use Policy (AUP)
Access Policy
Authentication Policy
Backup & Recovery Policy
Data Classification Policy
Email/Messaging Policy
Social Media Policy
Physical Security Policy
Physical Security Policy
Incident Response Policy
Mobile Device Policy
Network Security Policy
Wireless Policy
Remote Access Policy
Policies should be short.
Standard set of instructions for workers to carry out routine operations.
Aim to achieve efficiency and consistent output.
Non-Disclosure Agreement (NDA)
Protects against sensitive information disclosure.
Business Partner Agreements (BPAs)
Specifies partner financial and fiduciary responsibilities (profit sharing).
Service-Level Agreements (SLAs)
Specifies nature and level of service by a provider (uptime).
Memorandum of Understanding (MOU) and Memorandum of Agreement (MOA)
Outlines the terms and details of an agreement.
An agreement between two or more parties where the parties cannot create a legally enforceable agreement.
Interconnection Security Agreement (ISA)
Mandatory Vacations
Job Rotation
Separation of Duties
Clean Desk
Role-based awareness training based on job responsibilities.
Continuing Education
When user accounts are created by one employee and user permissions are configured by another employee.
An admin who is responsible for creating user account should not have the authorization to configure the permissions associated with the account.
Requires more than one individual to accomplish a critical task.
Ensures that no individual can compromise a system.
Considered valuable in deterring fraud.
Can be static or dynamic.
Static: refers tot eh assignment of individuals to roles and the allocation of transactions to roles.
An individual can be either an initiator of the transaction or the authorizor of a transaction.
Dynamic: An individual can initiate as well as authorize transactions.
Change management stipulates that multiple changes to a computer system should not be made at the same time.
This makes tracking any problems that can occur much simpler.
Change management includes the following rules:
Distinguish between your system types.
Document your change process.
Develop your changes based on the current configuration.
Always test your changes.
Do not make more than one change at a time.
Document your fallback plan.
Assign a person whoi is responsible for change management.
Regularly report on the status of change management.