ITEC85 - Planning for Security (Policies & Standards)

Technology

only as good as the rules that govern it.

Strategic Alignment, Legal Compliance, Consistency

Why Planning Matters? (Enumerate)

Strategic Alignment

Security must support the business goals (e.g., a Bank needs high Integrity; YouTube needs high Availability).

Legal Compliance

Laws (like the Data Privacy Act) require organizations to have

documented security plans.

Consistency

Ensuring everyone follows the same rules, from the CEO to the intern.

Top: Policies, Middle: Standards, Lower-Middle: Guidelines, Bottom: Procedures

The Governance Hierarchy (The Pyramid)

Top: Policies

(General, High-level, Mandatory).

Middle: Standards

(Specific, Mandatory technical details).

Lower-Middle: Guidelines

(Optional recommendations, "Best Practices").

Bottom: Procedures

(Step-by-step instructions).

Policy

A set of rules that dictates acceptable and unacceptable behavior within an organization.

Policy

It functions as organizational law.

Disseminated, Read, Understood, Agreed, Enforced

Criteria for Enforcement: For a policy to be enforceable, it must be:

Disseminated

Distributed to all users.

Read

Users must review it.

Understood

Language must be clear (not too technical).

Agreed

Users must sign (digitally or physically).

Enforced

Penalties must be applied equally.

Enterprise Information Security Policy (EISP)

Scope: Strategic. Covers the entire organization.

Enterprise Information Security Policy (EISP)

Purpose: Sets the "Tone from the Top." Shows management's commitment to security.

- Statement of Purpose ("Why we do security").

- IT Security Elements (Definitions of CIA).

- Need for IT Security (Legal/Business reasons).

- Roles and Responsibilities (Who is responsible for what).

Enterprise Information Security Policy (EISP) Content

Issue-Specific Security Policy (ISSP)

Scope: Tactical. Covers specific technologies or issues.

Issue-Specific Security Policy (ISSP)

Examples:

- Email Use Policy.

- Internet/Web Surfing Policy.

- Bring Your Own Device (BYOD) Policy.

- Remote Access Policy.

Issue-Specific Security Policy (ISSP)

Structure:

- Prohibited uses (e.g., "No gambling sites").

- System management (e.g., "IT can monitor logs").

- Violations (e.g., "First offense: Warning").

System-Specific Security Policy (SysSP)

Scope: Operational. Covers specific hardware or software configurations.

System-Specific Security Policy (SysSP)

Two Types:

- Management Guidance

- Technical Specifications

Management Guidance

Rules for admins (e.g., "Patch servers every Friday").

Technical Specifications

Actual config rules (e.g., Firewall ACLs: Permit TCP 80, Deny IP Any).

Guidelines

"You should use a passphrase that is easy to remember." (Advice).

Procedures

"Step 1: Go to Settings. Step

2: Click Security. Step 3: Type password." (Instructions).

Policy Lifecycle Management

Policies are not "set and forget."

Development, Implementation, Maintenance, The Sunset Clause

Policy Lifecycle Management (enumerate)

Development

Drafting by a committee (HR, Legal, IT, Management).

Implementation

Training users.

Maintenance

Annual review.

The Sunset Clause

A rule stating that a policy expires after a certain date (e.g., 2 years) unless formally reviewed. This prevents "Zombie Policies" (e.g., rules about floppy disks in 2026).