5.1 - Security Program Management and Oversight

Policy

• What it is: High-level, mandatory rules set by management. It states "What" we do and "Why," but not technical details.

• Scenario: "The Information Security Policy states that all confidential data must be encrypted." (It doesn't say how or with what tool, just that it must be done.)

Standard

• What it is: Mandatory technical specifics. It defines the "How much" or "What type."

• Scenario: "The Password Standard requires all passwords to be at least 14 characters and use AES-256 encryption." (This supports the Policy.)

Procedure

• What it is: Step-by-step instructions on how to perform a task.

• Scenario: "The Onboarding Procedure: Step 1: Create AD account. Step 2: Issue laptop. Step 3: Assign badge." (If you follow the steps, the outcome is always the same.)

Guidelines

• What it is: Optional recommendations or best practices. Not mandatory.

• Scenario: "A Guideline suggests that users should restart their computers once a week for better performance." (You won't get fired for ignoring it, but it helps.)

AUP (Acceptable Use Policy)

• What it is: The rules of behavior for employees using company equipment.

• Purpose (Scenario): "You sign this when you get hired. It says: Do not watch Netflix on the work laptop, do not use the file server for personal photos, and do not try to hack the network."

Change Management Policy

What it is: The formal process for modifying systems (updating software, changing firewall rules).

• Purpose (Scenario): To prevent outages. "Before an admin can update the firewall, they must submit a request, get approval from the Change Control Board (CCB), and have a rollback plan in case it crashes the network."

SDLC (Software Development Lifecycle)

• What it is: A policy ensuring security is integrated into every step of creating software (Design -> Code -> Test -> Deploy).

• Purpose: To move security "Left" (do it early), rather than trying to patch bugs after the app is released.

BC (Business Continuity)

• What it is: The plan to keep the business making money during a disruption.

• Focus: Business Operations.

• Scenario: "The power is out. The BC plan says: 'Move the sales team to the branch office so they can keep taking calls.'"

DR (Disaster Recovery)

• What it is: The plan to restore IT infrastructure after a disaster.

• Focus: Technical Systems (Servers/Data).

• Scenario: "The server room flooded. The DR plan says: 'Restore the backup tapes to the secondary data center servers.'"

Data Owner

• What it is: The Senior Manager (e.g., VP of Sales) who is legally responsible for the data.

• Key Responsibility: They decide the Classification (e.g., "This list is Top Secret") and who gets access. They care about the value of the data.

Data Custodian

• What it is: The IT Tech (e.g., Sysadmin) who manages the data day-to-day.

• Key Responsibility: They implement the controls defined by the Owner. (e.g., "The Owner said encrypt this, so I am configuring the AES encryption settings and running backups.")

Data Controller

• What it is: The entity that determines the "Why" and "How" data is processed. (Usually the company itself).

• Scenario: "Amazon is the Controller of your shopping history data because they decide to collect it to sell you things."

Data Processor

• What it is: A third-party that processes data on behalf of the Controller.

• Scenario: "Amazon uses a cloud payroll company to pay its employees. The payroll company is the Processor. They don't own the data; they just crunch the numbers for Amazon."

Centralized Governance

• What it is: One central authority (Headquarters/CISO) makes security decisions for the entire organization.

• Pros/Cons: Consistent standards everywhere, but can be slow to react to local needs.

Decentralized Governance

• What it is: Individual branches or units make their own security decisions.

• Pros/Cons: Fast and flexible, but leads to inconsistent security (Branch A is secure, Branch B is wide open).

Committee / Board

• What it is: A group of stakeholders (CEO, CFO, CIO, HR, Legal) that meets to oversee security strategy.

• Purpose: To ensure security aligns with business goals and legal requirements (not just "tech stuff").