ITEC85 - Planning for Security (Policies & Standards)

Read

Users must review it.

System-Specific Security Policy (SysSP)

Two Types:

- Management Guidance

- Technical Specifications

Management Guidance

Rules for admins (e.g., "Patch servers every Friday").

Policy Lifecycle Management

Policies are not "set and forget."

- Development

- Implementation

- Maintenance

- The Sunset Clause

Technology

only as good as the rules that

govern it.

Why Planning Matters?

Strategic Alignment

Legal Compliance

Consistency

Strategic Alignment

Security must support the business goals (e.g., a Bank needs high Integrity; YouTube needs high Availability).

Legal Compliance

Laws (like the Data Privacy Act) require organizations to have

documented security plans.

Consistency

Ensuring everyone follows the

same rules, from the CEO to the intern.

The Governance Hierarchy (The Pyramid)

Top: Policies

Middle: Standards

Lower-Middle: Guidelines

Bottom: Procedures

Top: Policies

(General, High-level, Mandatory).

Middle: Standards

(Specific, Mandatory technical details).

Lower-Middle: Guidelines

(Optional recommendations, "Best Practices").

Bottom: Procedures

(Step-by-step instructions).

Policy

A set of rules that dictates acceptable and unacceptable behavior within an organization.

Policy

It functions as organizational

law.

Policy

Criteria for Enforcement: For a policy to be enforceable, it must be:

- Disseminated

- Read

- Understood

- Agreed

- Enforced

Disseminated

Distributed to all users.

Understood

Language must be clear (not too

technical).

Agreed

Users must sign (digitally or physically).

Enforced

Penalties must be applied equally.

Enterprise Information Security Policy (EISP)

Scope: Strategic. Covers the entire organization.

Enterprise Information Security Policy (EISP)

Purpose: Sets the "Tone from the Top." Shows management's commitment to security.

Enterprise Information Security Policy (EISP)

Content:

- Statement of Purpose ("Why we do security").

- IT Security Elements (Definitions of CIA).

- Need for IT Security (Legal/Business reasons).

- Roles and Responsibilities (Who is responsible for what).

Issue-Specific Security Policy (ISSP)

Scope: Tactical. Covers specific technologies or issues.

Issue-Specific Security Policy (ISSP)

Examples:

- Email Use Policy.

- Internet/Web Surfing Policy.

- Bring Your Own Device (BYOD) Policy.

- Remote Access Policy.

Issue-Specific Security Policy (ISSP)

Structure:

- Prohibited uses (e.g., "No gambling sites").

- System management (e.g., "IT can monitor logs").

- Violations (e.g., "First offense: Warning").

System-Specific Security Policy (SysSP)

Scope: Operational. Covers specific hardware or software configurations.

Technical Specifications

Actual config rules (e.g., Firewall ACLs: Permit TCP 80, Deny IP Any).

Guidelines

"You should use a passphrase that is easy to remember." (Advice).

Procedures

"Step 1: Go to Settings. Step

2: Click Security. Step 3: Type password." (Instructions).

Guidelines vs. Procedures

Key Difference

Procedures leave no room for interpretation; they ensure consistency.

Development

Drafting by a committee (HR, Legal, IT, Management).

Implementation

Training users.

Maintenance

Annual review.

The Sunset Clause

A rule stating that a policy

expires after a certain date (e.g., 2 years) unless formally reviewed. This prevents "Zombie Policies" (e.g., rules about floppy disks in 2026).

Summary & Key Takeaways

- Policy is the bridge between management goals and technical reality.

- Without policy, you cannot fire an employee for hacking, because they can claim "I didn't know it was wrong."

- Policies must evolve as technology evolves.

Still learning (4)

You've started learning these terms. Keep it up!