(1) Security Policies - CompTIA Security+ SY0-701 - 5.1

Introduction to Security Policies

• Primary Goal: Establish Confidentiality, Integrity, and Availability (CIA) for security management.

• Importance of Policies: Security policies are essential for guiding actions and ensuring compliance throughout the organization.

Types of Security Policies

Broad Policies

• Outline general goals like data storage requirements and specific event procedures.

Detailed Policies

• Include strict guidelines for critical areas like Wi-Fi usage and remote network access requirements.

Information Security Policies

• Comprehensive listings of policies for maintaining network availability and security.

• May be mandated rather than optional.

• Provide frameworks for addressing various security scenarios (e.g., virus discovery, remote access).

Roles and Responsibilities

• Security policies define roles of individuals or teams associated with organizational security.

• Clear communication channels for security concerns.

• Enforcement of policies is the responsibility of the organization, ensuring adherence to documented policies.

Acceptable Use Policy (AUP)

• Definition: AUP specifies acceptable behaviors regarding the use of organizational technology.

• Purpose: Guides appropriate technology usage and protects the organization from legal liability in misuse cases.

Business Continuity Policies

• Purpose: Prepare for scenarios where technology becomes unavailable, ensuring continued operations.

• Example: Transition to manual credit transactions during network outages.

• Importance of planning and testing to ensure effectiveness during actual disruptive events.

Disaster Recovery Plans

• Definition: Formal procedures designed to recover from various types of disasters impacting operations.

• Types of Disasters: Natural disasters, technology/system failures, human-induced disasters.

• Critical Components:

  • Identifying alternate recovery locations.

  • Data recovery methods.

  • Application restoration.

  • Availability of IT staff during recovery.

Handling Security Incidents

• Need for Documentation: Protocols for addressing incidents such as malware infiltration or DDoS attacks.

• Importance of a specialized incident response team trained for various security events.

• Types of Incident Response Roles:

  • Incident response team.

  • IT security management team.

  • Compliance officers.

  • Technical staff and user community input for incident resolution.

• NIST Special Publication 800-61: Guide outlining the incident response lifecycle.

Software Development Lifecycle (SDLC)

• Definition: Framework for developing software from conception to deployment.

• Phases: Requirement gathering, development, testing, deployment, and maintenance.

Common Lifecycle Models

• Waterfall Model: Linear approach outlining clear prerequisites followed through each stage of development.

• Agile Model: Iterative approach focusing on speed and continuous improvement through rapid development cycles.

Change Management Policies

• Purpose: Ensure that changes to systems and applications are managed carefully to minimize risk.

• Importance of clear documentation and communication regarding changes.

• Potential pitfalls of inadequate change management processes, emphasizing the need for formal procedures.

• Encouragement for organizations without established change management to develop and implement policies.