Policies form the foundation of any security program.
How IT will approach security.
How users approach security.
How certain situations will be handled.
Policies - General management rules.
Standards - Specific mandatory controls (based on a given policy).
Guidelines - Recommendation or good practices.
Procedures - Instructions on how to implement a policy or standard.
Compliance / Exceptions
Acceptable Use Policy (AUP)
Backup & Recovery Policy
Data Classification Policy
Social Media Policy
Physical Security Policy
Physical Security Policy
Incident Response Policy
Mobile Device Policy
Network Security Policy
Remote Access Policy
Policies should be short.
Standard set of instructions for workers to carry out routine operations.
Aim to achieve efficiency and consistent output.
Non-Disclosure Agreement (NDA)
Protects against sensitive information disclosure.
Business Partner Agreements (BPAs)
Specifies partner financial and fiduciary responsibilities (profit sharing).
Service-Level Agreements (SLAs)
Specifies nature and level of service by a provider (uptime).
Memorandum of Understanding (MOU) and Memorandum of Agreement (MOA)
Outlines the terms and details of an agreement.
An agreement between two or more parties where the parties cannot create a legally enforceable agreement.
Interconnection Security Agreement (ISA)
Separation of Duties
Role-based awareness training based on job responsibilities.
When user accounts are created by one employee and user permissions are configured by another employee.
An admin who is responsible for creating user account should not have the authorization to configure the permissions associated with the account.
Requires more than one individual to accomplish a critical task.
Ensures that no individual can compromise a system.
Considered valuable in deterring fraud.
Can be static or dynamic.
Static: refers tot eh assignment of individuals to roles and the allocation of transactions to roles.
An individual can be either an initiator of the transaction or the authorizor of a transaction.
Dynamic: An individual can initiate as well as authorize transactions.
Change management stipulates that multiple changes to a computer system should not be made at the same time.
This makes tracking any problems that can occur much simpler.
Change management includes the following rules:
Distinguish between your system types.
Document your change process.
Develop your changes based on the current configuration.
Always test your changes.
Do not make more than one change at a time.
Document your fallback plan.
Assign a person whoi is responsible for change management.
Regularly report on the status of change management.