In this topic explaining security policy, standards, procedures, and guidelines of security and risk management.
Module Objectives
- Describe the hierarchy of written governance (policies, standards, guidelines, and processes).
Policy
The written aspect of governance (including security governance) is known as policy. Policies are documents published and promulgated by senior management dictating and describing the organization’s strategic goals (“strategic” entails long-term, overarching planning that addresses the whole of the organization; it is possible to have goals that are not strategic to the organization, such as goals for a specific department, project, or duration). Security policies are those policies that address the organization’s security goals and might include such areas as data classification, access management, and so on.
Typically, policies are drafted by subject matter experts, shared among stakeholders for review and comment, revised, then presented to senior management for final approval and publication. This is especially true for security policy, which is often a topic of which senior management has little understanding and insight, and it relies greatly on security practitioners for advice and guidance.
Standards
Standards are specific mandates explicitly stating expectations of performance or conformance. Standards can either come from within the organization (internal) or from external sources such as statutory or administrative law, case law (court decisions that set precedent), professional organizations, and/or industry groups. Some standards are detailed and specific; an example might be an industry standard for configuring a certain IT component or device. Some standards are general and describe a goal, outcome, or process; an example might be a law that sets a standard declaring, “the data controller is required to use physical access control measures to prevent unauthorized removal of hardware containing PII.”
Organizations are required to comply with standards to which they subscribe or which are applicable to the organization; failure to do so can result in prosecution or fines assessed by law enforcement/ regulators or can increase and enhance the organization’s liability.
An example, for demonstration purposes: a retail company has some PII related to its customers, including their contact information and shopping habits. In the wake of a data breach, investigators determine that the company was storing data in files that could be accessed with default administrative usernames and passwords, which is directly contrary to all current industry standards and common security practice. Because not conforming to the standard demonstrates a form of negligence, in addition to the costs of resolving the breach, the company may face additional expenses in the form of lawsuits from customers whose data was exposed and fines from regulators who oversee the protection of personal information. If the company had taken good faith steps to protect the data in a professional manner (including adherence to best practices and industry standards), the company would still incur expenses related to resolving the loss but would have attenuated the liability from the additional costs.
Procedures
Procedures are explicit, repeatable activities to accomplish a specific task. Procedures can address one-time or infrequent actions (such as a disaster recovery checklist) or common, regular occurrences (for instance, daily review of intrusion detection logs). Like standards, procedures aid the organization by demonstrating due diligence and avoiding liability.
Proper documentation of procedures (in both creating the procedures and in executing them) and training personnel how to locate and perform procedures is necessary for the organization to derive benefit of procedures.
Related Product : Personal Data Protection & General Data Protection Regulation Training & Certification
Guidelines
Guidelines are similar to standards in that they describe practices and expectations of activity to best accomplish tasks and attain goals.
However, unlike standards, guidelines are not mandates but rather recommendations and suggestions. Guidelines may be created internally, for use by the organization, or come from external sources such as industry participants, vendors, and interested parties.
There is a general hierarchy of importance typically associated with these governance elements; while not applicable in all cases, usually:
- Policy is at the pinnacle of the hierarchy; the organization’s policy is informed by applicable law(s) and specifies which standards and guidelines the organization will Senior management dictates policy, so all activity within the organization should conform with policy.
- Standards are next; the organization’s policies should specify which standards the organization adheres to, and the organization can be held accountable for not complying with applicable standards.
- Guidelines inform the organization how to conduct activities; while not mandatory, they can be used to shape and inform policies and procedures, and how to accomplish compliance with standards.
- Procedures are the least powerful of the hierarchy, but they are the most detailed; processes describe the actual actions personnel in the organization will take to accomplish their tasks. Even though they may be considered the bottom of the hierarchy, they are still crucial and can be used for obviating liability and demonstrating due diligence.
Follow Us
https://www.facebook.com/INF0SAVVY
https://www.linkedin.com/company/14639279/admin/