adam's notes

Security Policy Framework

A security policy framework contains a series of documents designed to describe the organization’s cybersecurity program.

  • scope varies widely

Framework

Security Policies

Policies are broad statements of management intent.

  • provide the foundation for a security program
  • written carefully over a long period of time
  • compliance with policies is mandatory
  • approved at the highest levels of the organization
  • E.g.,
    • too specific:
      • “Encrypt sensitive information with AES-256”
    • Right level:
      • “Encrypt sensitive data in transit and at rest”

Security Standards

Standards provide mandatory requirements describing how an organization will carry out its information security policies.

  • Provide specific details of security controls
  • Derive authority from policies
  • Follow a less rigorous approval process
  • Compliance with standards is mandatory
  • often use industry best-practice standards
    • some regulated industries may require this, otherwise deemed negligent

Security Procedures

Procedures are detailed, step-by-step processes that individuals and organizations must follow in specific circumstances.

  • ensure a consistent process for achieving a security objective
  • May require compliance depending upon the circumstances
  • common procedures:
    • Monitoring procedures
      • describe how the organization will perform security monitoring activities
    • Evidence production procedures
      • describe how to respond to subpoenas, court orders, and other legitimate requests to produce digital evidence
    • Patching procedures
      • describe the frequency and process of applying patches to applications and systems

Security Guidelines

Guidelines provide best practices and recommendations related to a given concept, technology, or task.

  • Provide security advice to the organization
  • Follow best practices from industry
  • Compliance is not mandatory
    • optionality of guidelines may vary, though

Exceptions and Compensating Controls

  • provide exception mechanism for rules
    • situations occur that require deviation from requirements
  • state the specific requirements for receiving an exception and identify the authority to approve exceptions
  • many exceptions require compensating controls
    • mitigates risk associated with exceptions to security standards

Graph View

Backlinks