Information

Security
Policies
Policy, Standards, and Procedures
Policy: document that states in writing how a company plans to
protect its physical and information technology assets.

Standards: more detailed statement of what must be done to

comply with regulations

Practices, procedures and guidelines: are the step-by-step

instructions for how policies are to be achieved
Policy, Standards, and Procedures
• For policies to be effective, they must be:
- Never conflict with law
- Properly supported and administered
- Contribute to the success of the organization
- Involve end users of information systems
Examples of Policy
◼ Password Policy
◼ E-Mail Policy
◼ Sensitive Information Handling Policy
◼ Anti-Virus Software policy
 An Example of Policy
◼ All user-level passwords (e.g., e-mail , web, desktop computer,
etc.) MUST be changed at least every six months.
◼ All passwords must conform to the guidelines
 Over 7 characters in length
 Letters, numbers, symbols
 Max of 3 repeating characters
Policies, and Standards
 Policy, Standards, and Practices (Cont.)

◼
• Policies require constant modification and maintenance
• To produce a complete information security policy, management
must define three types of information security policy (NIST 800-14):

- Enterprise information security policy (EISP)

- Issue-specific information security policies (ISSP)
- Systems-specific information security policies ( SSSP)
 • An enterprise information security policy is a
set of rules that people with access to the
organization’s data, assets, networks, and
other IT resources must follow to minimize
Enterprise cyber risk exposure.
• Sets strategic direction, scope, and tone for
Information organization’s security efforts
Security • Assigns responsibilities for various areas of
security
Policy • Guides development, implementation, and
management of security program
• Typically owned by C-levels/board
• Not typically in the auditor’s realm
Example of EISP
• Acceptable Use Policy: lays out the dos and don’ts of using IT equipment,
facilities, and resources, including the consequences of non-compliance.
• Clean Desk Policy: prescribes removing sensitive business information from
workstations at the end of each workday, from meeting notes to USB sticks.
• Change Management Policy: includes the processes required to make changes to
the enterprise IT ecosystem without disrupting business continuity.
• Data Backup Policy: outlines the ground rules for planning, executing, and
validating backups to ensure that critical data is securely and routinely backed up.
• Data Breach Response Policy: contains tools and protocols for recognizing and
handling data breach incidents in a timely, coordinated, and efficient manner.
• Disaster Recovery Plan Policy: defines the concrete steps an organization must
take in the event of a disaster, natural or man-made, to recover critical data and
functions.
Example of EISP (cont’d)
• End-User Encryption Key Protection Policy: describes the rules of protecting
encryption keys that are under the control of end-users to prevent fraudulent
use.
• Monitoring and Logging Policy: sets forth what events and activities should be
logged and how logs should be transmitted, rotated, retained, and stored.
• Password Creation and Management Policy: covers how to create, change, and
protect user passwords, including complexity and length requirements.
• Remote Access Policy: provides guidance on how to connect to a company’s
internal network from unsecured locations such as public spaces or home
networks.
• User Identification, Authentication, and Authorization Policy: defines the
process of verifying the identity of users attempting to access enterprise
resources or applications.
 Issue-Specific Security Policy (ISSP)
• ISSP developed by an
organization to outline the
guidelines the govern the use of
individual technologies in that
organization
ISSP topics could include:
- E-mail use,
- Internet and World Wide Web use,
- Specific minimum configurations of
computers to defend against worms
and viruses,
- Prohibitions against hacking or testing
organization security controls,
Etc.
Examples of ISSP
• Social Media Usage Policy:
Applies to all employees accessing social media platforms for work-
related purposes.
Guidelines for sharing company information, protecting personal and
corporate reputations, and avoiding malicious activities on social
media.

• Cloud Security Policy:

To ensure the secure adoption and use of cloud services.
Examples of ISSP (cont’d)
• Phishing Awareness and Prevention Policy:
To educate employees about phishing threats and establish preventive
measures. It Applies to all employees who use email and other
communication tools.

• Email policy : to establish guidelines for the appropriate use and

security of email

• Anti-virus policy: to establish a framework for the effective

implementation and management of antivirus measures
 Systems-Specific Security Policy (SSSP)
◼ Systems-Specific Policies (SysSPs) frequently do not look
like other types of policy
◼ They may often be created to function as
◼ standards or procedures to be used when configuring or maintaining
systems
◼ SysSPs can be separated into:
◼ Management guidance
◼ Technical specifications
◼ Combination
Management Guidance SSSPs
• Created by management

• guides the implementation and configuration of technology

• Applies to any technology that affects the confidentiality, integrity or

availability of information
Technical Specifications SSSPs
▪ System administrators’ directions on
implementing managerial policy
▪ Each type of equipment has its own type of
policies
▪ Two general methods of implementing such
technical controls:
- Access control lists
- Configuration rules
Access Control Lists
- Include user access lists, matrices, and capability tables that govern rights and
privileges

- Can control access to file storage systems, object brokers or other

network communications devices

- ACLs enable administrations to restrict access according to user, computer,

time, duration, etc.

- Capability Table: similar method that specifies which subjects and objects
users or groups can access

- Specifications are frequently complex matrices, rather than simple lists or

tables
Configuration Rules
• Configuration rules are specific configuration codes entered
into security systems to guide execution of system when
information is passing through it

• Rule-based policies are more specific to system operation than

ACLs and may or may not deal with users directly

• Many security systems require specific configuration scripts

telling systems what actions to perform on each set of
information processed
Combination SSSPs
▪ Often organizations create a single document
combining elements of both Management Guidance
and Technical Specifications SSSPs

▪ While this can be confusing, it is very practical

▪ Care should be taken to perform required actions

carefully as procedures are presented
 Policy Misalignment Impact
What is security misalignment?

◼ Misalignment often happens when the CISO (Chief Information Security Officer)
does not have an equal voice in the enterprise and when the security function is
not able to guide or even have discussions with other executives and the board to
establish the enterprise's tolerance for risk.

◼ Such situations are much more likely to lead to CISOs and CIOs having competing
priorities that push them apart rather than help them align toward common
objectives
 Policy Misalignment Impact (cont’d)
Impact of any misalignment of IT security with organizational policy

◼ Misalignment of organizational policy with IT security can cause conflict in the system,
which leads to exposure in the system that could be taken advantage of.

◼ Also, misalignment could lead to the employees not knowing what to do, if the policies
instruct the employees on doing a specific behavior and then the IT security blocks that
behavior, the employee will end up lost.

◼ The misalignment in policies will result in destruction of the system's security, making
it simple to breach or violate, leading to the loss of private data in the data center
and servers but also destroying the company's reputation, making it impossible to
maintain the continuity of the entire enterprise.
 Main components of DRP
◼ DRP team: This team is responsible for developing and implementing the
disaster recovery plan.

◼ The team should consist of individuals with expertise in different areas,

such as IT, business continuity, and emergency management.

◼ A DRP team can provide valuable insights and expertise that can help
smoothly recover from a disaster more effectively.

◼ Additionally, a DRP team can help smoothly identify and mitigate risks
associated with its disaster recovery plan.
 Main components of DRP
◼ RTO: The recovery time objective (RTO) is the amount of time that a business
process must be restored after a disruption.

◼ The RTO should be realistic and achievable and should be based on the impact
of the disruption on the business.

◼ It ensures that systems and data are recovered within a specific timeframe. This
is especially important for businesses that rely on their systems to function
properly.

◼ By including RTO in the disaster recovery plan, the company can be sure that its
systems will be up and running quickly in the event of a disaster.
 Main components of DRP
◼ RPO: The recovery point objective (RPO) is the maximum amount of data that
can be lost in a disaster.

◼ The RPO should be based on the tolerable amount of data loss for the
business.

◼ RPO can help prevent data loss, ensure timely recovery of data, and improve
the overall efficiency of the disaster recovery process.

◼ Additionally, RPO can help to ensure that the disaster recovery plan meets all
applicable regulatory requirements.
 Main components of DRP
◼ Backups: Backups are essential for recovering data after a disaster.

◼ The backups should be stored in a safe location, such as a fireproof and

waterproof safe, and should be tested regularly.

◼ It can provide a way to recover data if it is lost or corrupted.

◼ Another reason is that backups can help ensure that data is available if a system
goes down.

◼ Additionally, backups can help reduce the amount of time it takes to recover
from a disaster. 26
 Main components of DRP
◼ Documentation: The disaster recovery plan should be well-documented, so that
it can be easily followed in the event of a disaster.

◼ The documentation should include procedures for all aspects of the plan, such
as data backup and recovery, system failover, and communication.

◼ It provides the roadmap for how the plan will be executed.

◼ Without documentation, the plan may not be effective or may not be followed
correctly.

◼ Documentation also allows for review of the plan as needed, which is essential
to keeping the plan up-to-date and effective.
 Main components of DRP
◼ Automation: Automation can help to reduce the time and effort required to
implement the disaster recovery plan.

◼ Automation can be used for tasks such as backing up data, failing over to a
standby system, and sending notifications.

◼ Automation can help to speed up the process of recovering from a disaster, as

well as help to ensure that all the necessary steps are taken in order to
recover from the disaster.

◼ Additionally, automation can help to reduce the amount of human error that
can occur during the disaster recovery process.
Organizations security protection Procedures

◼ Procedures to protect customers.

◼ Procedures to protect business critical data

◼ Procedures to protect equipment

 Organizations security protection Procedures
Procedures to protect customers.

◼ Limit Access to Customer Information: When these controls are effectively

implemented; It mitigates the risks of accessing information from the unauthorized
party and protects the data from the risk of penetration. This information should not
be in the hands of all employees; Therefore, access must be granted to a specific
number of employees, and with logs, we can identify the people who modified or
viewed the data.

◼ Authentication protocols: It is usually used to prove that this person is the owner of
the account, and that this data belongs to him. In the past, it was one-factor
authentication, which required the user to enter one thing of identifying information such
as a password. Recently, organizations are using multifactor authentication, It requires
the user to enter a passcode and an additional code and is often sent to his mobile phone.
 Organizations security protection Procedures
Procedures to protect business critical data

◼ Encrypt data: It transforms data into another type or form so that only people who have
access to the decryption key can read and translate it. In this period, institutions use it a
lot and protect customer records such as credit card information or personal information
because it is one of the most widely used security methods.

◼ Data backup: Backup is the prosses of making a copy of the data to a secondary
location for save it in case of losing the original data, deletion, or disaster, which is
then restored. It is also a key component of the Disaster Recovery Plan and Business
Continuity Strategy, and it must be protected.
 Organizations security protection Procedures
Procedures to protect equipment

◼ Staff awareness: Damage to equipment is often the result of unqualified personnel trained to use it;
Therefore, it is important to train employees to mitigate these damages, and if they are trained
correctly, their job performance will improve, and they will become more aware and take
precautions with machines. It also builds the employee’s self-confidence so that he performs his job
better because it thus addresses their weaknesses.

◼ Antivirus software: It quickly detects and removes malware, by scanning data such as web pages,
files and programs, thus protecting the device from harmful data that could damage data, sabotage
or slow down the device, in addition to checking emails and deleting viruses. If any. Some antivirus
programs also prevent the device from overheating. Antivirus software must be kept up to date
with the latest viruses and must be turned on regularly or set to scan for viruses every day.
Organizations security protection Procedures
Procedures to protect equipment

• Firewalls: The firewall is important in the network and has become the basis of
its security because it affects the modern and widely used security technologies.
By a set of rules that identify and prevent threats, firewalls scan traffic to prevent
unauthorized access to the network, and the firewall’s function is also to maintain
a log of events that administrators can use to improve the set of rules. The rules
should be updated regularly to keep pace with cybersecurity threats.

• Physical security: access controls, surveillance tools , ….

The End