Your business has the best tools that money can buy, a team well equipped and skilled to run them and the time to implement them across the Enterprise. So what? In the IT world you can have all the tools in the world in your environment and not accomplish anything, you will not know any more than you know today and the worst of all you will live under a fall impression of security. To ensure proper management and to achieve the full value of the IT infrastructure there needs to be well defined policies, standards, guidelines and processes. What are they? Step by step documents? Laws? Rules? Things written by the guys on the top floor to ‘slow down’ the system administrators? They are the guiding principles to help the business govern themselves to ensure the best effort of security is in place and being enforced.
The Information Security Policy Framework
Each document listed above has a different target audience within the business and therefore, should never be combined into one document. Instead there should be several documents that together form the concept of an information security policy framework. This framework is illustrated in the diagram below, with each level of the framework supporting the levels above it.
In order to help cement this concept, let’s use an example to illustrate how all of these different framework pieces fit together.
A policy may state all business information must be adequately protected when being transferred.
A supporting data transfer standard builds upon this, requiring that all sensitive information be encrypted using a specific encryption type and that all transfers are logged.
A supporting guideline explains the best practices for recording sensitive data transfers and provides templates for the logging of these transfers.
A procedure provides step by step instructions for performing encrypted data transfers and ensures compliance with the associated policy, standards and guidelines.
An information security policy consists of high level statements relating to the protection of information across the business and should be produced by senior management.
The policy outlines security roles and responsibilities, defines the scope of information to be protected, and provides a high level description of the controls that must be in place to protect information. In addition, it should make references to the standards and guidelines that support it. Businesses may have a single encompassing policy, or several specific policies that target different areas, such as an email policy or acceptable use policy. From a legal and compliance perspective, an information security policy is often viewed as a commitment from senior management to protect information. A documented policy is frequently a requirement to satisfy regulations or laws, such as those relating to privacy and finance. It should be viewed as a business mandate and must be driven from the top (i.e. senior management) downwards in order to be effective.
Standards consist of specific low level mandatory controls that help enforce and support the information security policy.
Standards help to ensure security consistency across the business and usually contain security controls relating to the implementation of specific technology, hardware or software. For example, a password standard may set out rules for password complexity and a Windows standard may set out the rules for hardening Windows clients.
Guidelines consist of recommended, non-mandatory controls that help support standards or serve as a reference when no applicable standard is in place.
Guidelines should be viewed as best practices that are not usually requirements, but are strongly recommended. They could consist of additional recommended controls that support a standard, or help fill in the gaps where no specific standard applies. For example, a standard may require passwords to be 8 characters or more and a supporting guideline may state that it is best practice to also ensure the password expires after 30 days. In another example, a standard may require specific technical controls for accessing the internet securely and a separate guideline may outline the best practices for using the internet and managing your online presence.
Procedures consist of step by step instructions to assist workers in implementing the various policies, standards and guidelines.
While the policies, standards and guidelines consist of the controls that should be in place, a procedure gets down to specifics, explaining how to implement these controls in a step by step fashion. For example, a procedure could be written to explain how to install Windows securely, detailing each step that needs to be taken to harden/secure the operating system so that it satisfies the applicable policy, standards and guidelines.
End of Line.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.