Develop, Document, and Implement Security Policy, Standards, Procedures, and Guidelines
As an organization grows and matures, the need to effectively communicate expectations to the workforce becomes increasingly important. Organizations communicate through a series of documents, aimed at different audiences with different levels of detail.
A well-structured set of organizational policies, standards, procedures, and guidelines give consistent guidance to members of the organization, specifying responsibilities for individuals and making clear the consequences for noncompliance. Clear policies allow management to define the bounds of decision-making at different levels in the organization. This in turn creates a predictable, stable management environment where energies are spent solving new problems instead of constantly reinventing the wheel. Many organizations use these terms in different and often interchangeable ways. As it relates to the CISSP CBK, understanding the hierarchical structure of the organizational documents is necessary, as the respective documents communicate to different levels of the organization.
Organizational Documents
For most organizations, the taxonomy of organizational documents sets high-level expectations at the policy level, while other documents provide the details on implementation. These documents establish expectations for behavior and performance in the organization, while providing appropriate levels of discretion to adjust to changing circumstances and events.
Policies
Policies are at the heart of what the organization is trying to accomplish. At a high level, policies provide critical instruction to management to implement measures to achieve external compliance expectations or support the larger strategic vision of the organization. As governance documents, the responsibility for creating and maintaining policy rests with the board. As such, policies are one of the ways in which the board demonstrates due care.
Policies, relative to other organizational documents, are less likely to change. They provide consistency to the organization’s management, allowing the leadership to shape standards and create procedures that achieve the policy end. They should provide management with sufficient flexibility to adapt to new circumstances or technologies without a policy revision.
Mature organizations routinely review their policies within their governance processes. Changing external compliance expectations or shifts in business strategy must be taken into account. The policy review process must address the changing needs of external stakeholders to support predictability in execution of the policies by management.
The use of the term policy when implementing security practice in an organization is often confusing. For example, a password policy may, or may not, be of interest to the governing organization—but it certainly would be of interest to the management team! The organization’s governance structure would likely express interest in ensuring that access controls are present, meet the compliance expectations appropriate to the organization’s needs at the policy level, and leave to management the decision of how many times a password should be rotated. That management chooses to refer to the outcome of their due diligence as a policy is an organizational decision.
Often referred to as sub policies, these amplifying instructions further set behavior expectations for the organization. Some of the areas that might be addressed include passwords, cryptography, identity management, access control, and a wide range of other topics. The critical distinction is whether the instruction comes from the governance body (making it a policy) or whether it is derived from a higher-level policy by the organization’s management.
This broad use of the term policy reflects one of the major challenges in our industry. A lack of a common language for information security practice has been repeatedly identified as one of the factors inhibiting the development of a common body of practice in the information security community. It is further complicated in an international environment, where translations and cultural differences affect how people perceive information. However, the various standards bodies have published specific definitions for information security terms that may have nuanced differences between each other.
Related Product : Certified Information System Security Professional | CISSP
Standards
Once the organization has decided on what it wants to accomplish, management can execute against the policies. One tool to support efficient management of resources is the use of standards. Standards simplify management by providing consistency in control. They are promulgated by management to support the achievement of the organization’s strategic goals and are tied directly to the organization’s policies.
Organizations may be required to adopt certain standards to do business in a particular market. For example, if an organization wants a web presence, it has to take into account the standards of the World Wide Web Consortium (W3C) in developing applications.
While standards are a management tool, standards often evolve out of organizational practice. For example, selecting a particular vendor to provide a product may force a standard where none was originally contemplated. De facto standards often evolve inside organizations as different parts of the organization adopt a new technology, not as a conscious management decision.
Well-structured standards provide mechanisms for adaptation to meet local conditions. Through the use of baselines, an organization can shape a standard to better reflect different circumstances. Baselines enable the delegation of decision-making within strict parameters to lower levels of management. Nevertheless, standards are directive in nature; compliance is not optional. Organizations that adopt standards must put in place performance measures to determine whether the standards have been implemented.
Procedures
Procedural documents provide highly detailed task-oriented instructions. Procedural documents are useful when a high degree of compliance is necessary and the precise steps to achieve the outcome are not readily apparent to individuals not familiar with the environment. Management, as part of its diligence responsibilities, enforces organizational procedures through routine oversight and audit. Compliance is not optional, and well-structured organizations track compliance with procedural steps.
In certain environments, procedural compliance is achieved through the use of various separation-of-duties methods. For example, in cloud environments, an organization might require that every action applied to the cloud environment be performed through a script function—a Chef recipe or a Puppet task—and the author of a script cannot be the individual who approves the script.
Baselines
Once a standard has been established, a baseline is derived from the standard to meet a specific set of implementation requirements. Once a baseline has been established, any deviation from the baseline would be formally approved through the organization’s change management practice. As with standards, baselines establish a compliance expectation.
As a subset of baselines, security baselines express the minimum set of security controls necessary to safeguard the CIA properties for a particular configuration. Scoping guidance is often published as part of a baseline, defining the range of deviation from the baseline that is acceptable for a particular baseline. Once scoping guidance has been established, then tailoring is performed to apply a particular set of controls to achieve the baseline within the scoping guidance.
Guidelines
Guidelines are necessary when an organization determines that some level of flexibility in implementation is necessary to achieve business objectives. Guidelines often rely upon best practices for a particular discipline or are the codification of an organization’s experience in a particular area.
Guidelines may be useful when a range of options exist to achieve a particular control objective and it is acceptable to encourage creativity and to experiment to compare the effectiveness of different options. Guidelines may also be useful when the organization’s staff has a broad base of experience and a shared vision for an outcome. In that case, the explicit directions of procedures, standards, and baselines may provide too much structure and impede the adoption of more efficient methods.
There are many sources of guidelines for information security practice. Certainly, the CISSP CBK is one, as it reflects a broad range of security practices but is not prescriptive inside an organization’s information security environment. The ISO/NIST/ITIL frameworks are often leveraged as guidelines; however, they may become policies or standards if the organization has a compliance expectation. Other sources of guidelines include manufacturers’ default configurations, industry-specific guidelines, or independent organizations such as the Open Web Application Security Project (OWASP) work in software development. There is no single correct answer for the number and breadth of policies, standards, baselines, and guidelines an organization should have. Different regulatory environments, management expectations, and technology challenges will affect how the organization expresses and achieves its goals.
Follow Us
https://www.facebook.com/INF0SAVVY
https://www.linkedin.com/company/14639279/admin/
