Policies-Personnel

5.1 Explain the importance of polices, plans and procedures related to organizational security

To ensure that the proper risk management is coordinated , updated and communicated and maintained.

It is important to establish clear and detailed security policies that are approved by organizational management and brought to the attention of all of the users through regular security awareness training.

Policies that the users do not know about are rarely effective, and those that lack management support can be unenforeceable. Several policies can support risk management within the organization.

Policies, Plans and procedures

• Policy Types

• Standard Operating Procedure (SOP)

• Agreement types

  • NDA (Non-Disclosure Agreement)

    • Protects against sensitive information disclosure

  • BPA (Business partner agreements)

    • Specifies partner financial and fiduciary responsibilities (profit sharing)

  • SLA (Service Level Agreements)

    • Specifies nature and level of service by a provider (uptime)

  • ISA (Interconnection security agreement)

  • MOU (Memorandum of Understanding) /MOA (Memorandum of Agreement)

    • Outlines the terms and details of an agreement

• General Security Policies

  • Social Media network/applications

  • Personal email

• Personnel Management

  • Job rotation

  • separation of duties

  • clean desks

  • background checks

  • Onboarding

  • Exit interviews

  • Role Based awareness training

  • Acceptable use policy/rules of behavior

  • Continuing education

  • Mandatory Vacations

Policies

• Policies form the foundation of any security program

• Policies define

  • How IT will approach security,

  • How users approach security, and

  • How certain situations will be handled.

Policy Document Types

• Policies - General Management Rules

  • Though shout rules of the organization. must follow rules

  • These rules if not followed or violated can cause serious damage and possible termination of employees who do violate a policy statement.

  • Policies should be technology agnostic, should not specify technology.

• Standards - Specific mandatory controls, based on given policy

  • Tend to be more technical in nature and specify mandatory controls, for example password or authentication standards which can enable with back in technology such as a security policy like GPO within Microsoft. These standards should be based on a specific policy.

• Guidelines - Recommendation or good practices

  • try to do this, but if not followed it doesnot cause a lot of damage to the organization

• Procedures - Instruction on how to imlement a policy or standard

  • these are steps to take to fulfill a guideline, standard or policy.

Policy Elements

• Overview

• Purpose

• Scope: who does the policy applies to, to the whole organization, specific areas, or specific technolgies.

• Target Audience

• Definitions

• Versions

• Implemented Date

• Compliance / Exceptions

• Policy Statements

Common Policies

• Accepatable Use Policy (AUP)

• Access Policy

• Authentication Policy

• Backup and Recovery Policy

• Email/ Messaging Policy

• Social Media Policy

• Physical Security Policy

• Incident response policy

• Mobile Device Policy

• Network Security Policy

  • Wireless policy

  • Remote Access

Standard operating procedure (SOP)

• Standard set of instructions for workers to carry out routine operations

• Aim to achieve efficiency and consistent output