BMC-106: CYBER SECURITY

UNIT 4

SECURITY POLICIES

A security policy is a set of principles and rules that guide how an organization
manages and protects its information, assets, and technology infrastructure. It
defines how to ensure the confidentiality, integrity, and availability of
information and systems, addressing potential risks and outlining the necessary
controls to mitigate them.
A comprehensive security policy generally covers the following aspects:
Key Components of a Security Policy
1. Purpose and Scope
o Purpose: Describes the objectives of the policy, such as protecting
organizational data, systems, and resources from unauthorized
access, theft, or damage.
o Scope: Defines the areas the policy applies to (e.g., employees,
contractors, third-party vendors) and the systems or data covered
by the policy (e.g., hardware, software, networks).
2. Information Security Objectives
o Confidentiality: Ensures that information is only accessible to
authorized individuals or entities.
o Integrity: Guarantees that data is accurate, complete, and
unaltered.
o Availability: Ensures that information and resources are accessible
to authorized users when needed.
3. Roles and Responsibilities
 o Defines the roles of different stakeholders in the organization (e.g.,
IT administrators, employees, third-party vendors) in relation to
security management and protection.
o Outlines specific responsibilities for safeguarding information,
reporting security incidents, and complying with security protocols.
4. Access Control
o Authentication: Ensures that individuals are properly
authenticated before accessing sensitive information or systems.
o Authorization: Defines the level of access granted to individuals
based on their role or responsibilities (e.g., least privilege).
o Password Policies: Specifies requirements for password strength,
frequency of change, and secure storage.
5. Data Protection and Privacy
o Encryption: Requires the encryption of sensitive data both at rest
and in transit.
o Data Handling: Specifies how to store, transmit, and destroy
sensitive data securely.
o Data Retention: Outlines how long data should be retained and the
procedures for securely disposing of or deleting data when it is no
longer needed.
6. Network Security
o Defines measures to secure the organization's networks, including
firewalls, intrusion detection/prevention systems (IDS/IPS), and
secure Wi-Fi protocols.
o Ensures the segmentation of critical systems and the use of VPNs
(Virtual Private Networks) for remote access.
7. Incident Response
o Incident Detection and Reporting: Provides a clear protocol for
identifying and reporting security breaches or incidents.
 o Incident Response Plan: Details how the organization will
respond to and recover from security incidents (e.g., data breaches,
system outages).
o Forensic Investigation: Ensures that evidence from security
incidents is collected and preserved for possible legal action.
8. Physical Security
o Access Controls: Specifies who has physical access to systems and
data centres (e.g., biometric access, keycards).
o Environmental Controls: Covers safety measures to protect
physical infrastructure (e.g., temperature control, fire protection
systems).
9. Security Awareness and Training
o Establishes regular training programs for employees on security
best practices, phishing, social engineering, and password
management.
o Ensures that employees understand their roles in maintaining
security and how to recognize and report potential threats.
10. Compliance and Legal Requirements
o Ensures that the organization complies with relevant industry
regulations and legal requirements (e.g., GDPR, HIPAA, PCI-DSS,
NIST).
o Specifies regular audits and assessments to ensure compliance with
the policy.
11. Monitoring and Auditing
o Describes methods for continuously monitoring systems and
networks for suspicious activities.
o Establishes regular security audits to assess adherence to the policy
and identify vulnerabilities.
12. Policy Enforcement and Consequences
o Details the consequences for non-compliance with the security
policy (e.g., disciplinary action, termination).
 o Specifies how violations will be addressed and investigated.
13. Review and Updates
o Outlines a process for regularly reviewing and updating the policy
to adapt to new security threats or regulatory changes.
o Ensures that the policy evolves with the organization’s needs and
external threats.

Types of Security Policies

 Network Security Policy: Focuses on the protection of networks,
including firewalls, intrusion detection systems, and securing network
traffic.
 Data Security Policy: Outlines how data should be handled, stored, and
transmitted to ensure its protection.
 Application Security Policy: Specifies secure coding practices, security
testing, and how to protect applications from vulnerabilities.
 Acceptable Use Policy (AUP): Defines acceptable behaviours for using
the organization’s IT resources, such as internet usage, email
communication, and software installations.
 Disaster Recovery and Business Continuity Policy: Details how the
organization will respond to system outages or natural disasters to ensure
minimal disruption to business operations.
 Bring Your Own Device (BYOD) Policy: Addresses how personal
devices should be used in the workplace and the security measures
required to protect organizational data.

Example of a Security Policy Structure

1. Introduction: Statement of intent, scope, and objectives of the security
policy.
2. Roles and Responsibilities: Defines who is responsible for what in the
organization.
 3. Access Control: Outlines protocols for managing and controlling access.
4. Incident Management: Procedures for detecting and responding to
incidents.
5. Compliance: Ensures that legal and regulatory requirements are met.
6. Policy Review: States how often the policy will be reviewed and updated.

NEED OF SECURITY POLICY

Cybersecurity policies help protect an organization from cyber threats
and ensure compliance with applicable laws. These policies can reduce an
organization’s risk by training employees to avoid certain activities and
enable effective incident response by defining policies for detection,
prevention, and remediation.
.

POLICY REVIEW PROCESS

What is policy review process?

 After making a policy or before the final implementation of policy, we
have to check the policy is really ready for implementation or not.
 After implementation of the policy, we have to check it time to time or
analyse its effectiveness and whether the policy needs to be modified.

Steps for policy review process: -

The policy review process consists of six steps –
1. Have someone other than the person who work or wrote the policy to
review it.
2. Assessing policy for completeness (all procedure will be perfect).
 3. Ensure policy statements are clear, concise, and smart.
4. The policy must answer 5W’s question: -
➢ Who involved
➢ What happened
➢ When it takes place
➢ Where it takes place
➢ Why this happens
5. It ensures consistency with laws, regulations and other level of policies.
6. Checking policy freshness and easy availability to organisations members
i.e., easily maintain and up to date time to time.

Why policy review process is necessary?

 A cyber security policy review process is necessary because it helps
organizations to ensure that their security measures are effective against
threats and they maintain rules and regulations.
 It can also minimize the risks of cyber fraud using advanced technology.
 It also creates balance between current practices and what practices the
organizations want to see in future

Publishing and Notification Requirements of the

Policies
Publishing and notification requirements for policies are essential for ensuring
that all relevant stakeholders are informed and that the policies are effectively
communicated and implemented. These requirements can vary depending on the
type of policy, the organization, and the jurisdiction (e.g., public vs. private
sector).
Below is a general outline of common steps and requirements:
1. Drafting the Policy
 Clarity and Accessibility: The policy should be clearly written, easy to
understand, and accessible to all stakeholders who will be affected by it.
  Approval Process: Before publishing, the policy must go through an
internal approval process, including review by relevant departments, legal
counsel, and senior management.

 Internal Communication: Often, the policy is circulated internally for

feedback before it is finalized.

2. Publishing the Policy

 Mediums of Publication:

 Intranet: If the organization is internal (such as a company), policies

are often published on internal systems like the company intranet or
internal newsletters.

 Official Website: For public-facing policies (e.g., government

policies), the policy may be published on the organization’s official
website or relevant digital platforms.

 Physical Distribution: In some cases, especially for policies that

impact specific locations or departments, hard copies may be posted in
visible locations or handed out to individuals.

 Email Notifications: An email distribution list may be used to notify

employees or stakeholders about the policy's release and where it can
be accessed.

 Public Disclosure: If required by law or governance standards,

policies may need to be published in public records, newspapers, or
official gazettes (e.g., in governmental policy changes).

3. Notification to Stakeholders
 Internal Stakeholders:
  Employees: In a workplace, employees are typically notified via
email, intranet posts, or team meetings. Training sessions may also be
arranged if the policy requires understanding of new procedures or
guidelines.

 Departments and Managers: Key managers or department heads

may be informed through direct briefings, meetings, or internal
memos, ensuring that they can communicate the policy to their teams.

 External Stakeholders:

 Suppliers/Contractors: External parties affected by the policy (e.g.,

vendors or contractors) may need to be notified by email or letter and
sometimes required to acknowledge the policy.

 Public or Customers: If the policy affects customers or the public,

there might be a need for more formal announcements through media
channels, public service announcements, or newsletters.

4. Compliance and Legal Requirements

 Legal Compliance: Depending on the jurisdiction and type of policy
(especially with employment, data privacy, environmental, or financial
policies), certain rules may dictate how the policy must be communicated
or published.

 Notification Period: Some policies may require that certain stakeholders

be given a notice period before they are expected to comply, especially if
they affect existing agreements or contracts.

5. Acknowledgment and Confirmation

 Employee Acknowledgment: For internal policies, especially in
employment settings, it’s often required that employees acknowledge
receipt and understanding of the policy, typically through signed forms or
electronic confirmation.
  Feedback Mechanisms: The publication of policies may include
mechanisms for stakeholders to ask questions, seek clarification, or
provide feedback (e.g., contact persons, Q&A sessions).

6. Review and Updates

 Policy Review: Policies should include a clause or process for periodic
review to ensure they are still relevant. Once reviewed, they may need to
be re-published with updates or changes.

 Ongoing Notifications: If a policy is amended, updated, or repealed, a

follow-up notification should be sent to stakeholders outlining the
changes and their impact.

TYPES OF SECURITY POLICY

WWW Policies:
"WWW policies" generally refer to policies related to the use of the World
Wide Web (WWW) within an organization. These policies are designed to
ensure safe, secure, and responsible use of the internet, websites, and web-based
services to protect sensitive data, maintain system integrity, and comply with
legal requirements. Below are some common types of cybersecurity policies
related to the WWW:
1. Acceptable Use Policy (AUP)
 This policy often includes rules against accessing inappropriate websites,
downloading malware, or engaging in activities that could harm the
organization’s network.
 Key Points:
o Defines prohibited websites (e.g., adult content, gambling).
o Guidelines for using company-provided devices and internet
connections.
2. Website Security Policy
 This policy is focused on ensuring that the organization’s websites are
secure and protected from cyber threats such as hacking, data breaches, or
malware attacks.
 Key Points:
o Requires the use of encryption (e.g., SSL/TLS) for sensitive
transactions.
o Details the security measures for maintaining the website’s
infrastructure.
o Ensures secure authentication and access control for website
administrators and users.
3. Data Privacy and Protection Policy
 This policy ensures that any data collected through websites (such as
customer data, user information, etc.) is protected and complies with data
protection laws (e.g., GDPR, CCPA).
 Key Points:
o Guidelines for collecting, processing, and storing personal data.
o Rules for handling data breaches or security incidents related to
web data.
5. Content Management and Moderation Policy
 This policy applies to websites or web platforms (like forums, blogs, or
social media) maintained by the organization. It defines acceptable
content, addresses moderation, and ensures that users cannot post harmful
or illegal material.
 Key Points:
o Provides rules for user-generated content and reviews.
o Ensures that illegal or offensive content is promptly removed.
6. Web Application Security Policy
 This policy addresses the security of web applications, ensuring that the
software is designed, deployed, and maintained in a secure manner. It
focuses on preventing vulnerabilities such as SQL injection, cross-site
scripting (XSS), or cross-site request forgery (CSRF).
  Key Points:
o Secure coding practices and regular security testing (e.g.,
penetration testing).
o Managing user access to the application.
o Patching known vulnerabilities in web applications.
7. Remote Access and Virtual Private Network (VPN) Policy
 This policy governs the secure use of the internet and web applications
when employees access corporate resources remotely, often through a
VPN. It ensures secure access to organizational websites and resources
from outside the corporate network.
 Key Points:
o Requirements for using a VPN for remote access to internal
websites and applications.
o Encryption and authentication protocols for secure access.
o Restrictions on accessing sensitive data or web applications from
unsecured networks.
8. Social Media and Web Interaction Policy
 Many organizations develop policies around how employees should
interact with the web, particularly on social media platforms. These
policies help protect the organization's reputation and prevent the
accidental leak of sensitive information.
 Key Points:
o Guidelines for employees using personal social media accounts or
blogs.
o Rules regarding sharing company information online.
o Use of company branding and trademarks on external websites.
9. Malware and Phishing Protection Policy
 This policy addresses protections against malicious websites and phishing
attacks, where users may unknowingly visit harmful sites or be tricked
into sharing sensitive information.
 Key Points:
 o Use of anti-malware tools and web filters to block harmful sites.
o Awareness and training for employees on recognizing phishing
attacks.
o Protocols for reporting suspicious websites or emails.
10. Incident Response Policy for Web-Related Threats
 This policy provides procedures for responding to security incidents that
involve web-based threats (e.g., data breaches, website defacements, or
denial-of-service attacks).
 Key Points:
o Steps to take in case of a web security breach.
o Communication protocols for internal and external stakeholders.
o Procedures for analysing and mitigating the impact of web-based
incidents.

Why WWW Policies Are Important:

 Security: Helps protect an organization from cyber threats (such as
malware, ransomware, or data breaches) that could exploit weaknesses in
web access or web-based applications.
 Compliance: Ensures adherence to data protection laws and industry
regulations related to the internet and the use of web applications.
 Productivity: Prevents distractions and abuse of the internet (e.g., using
social media excessively) during work hours.
 Reputation: Protects the organization’s public image by ensuring secure
and responsible online behaviour, both for employees and the
organization’s web-facing services.

Email security policies

An Email Security Policy is a set of guidelines and rules designed to

protect an organization’s email system and its users from security threats,
such as phishing, malware, unauthorized access, and data breaches. The
goal of an email security policy is to safeguard sensitive information,
 ensure compliance with regulations, and reduce the risk of security
incidents related to email.
Key elements of email security policies include:

1. Authentication: Ensuring that the sender and recipient are verified, often
through strong authentication methods like two-factor authentication
(2FA) or multi-factor authentication (MFA).

2. Encryption: Mandating the use of encryption to protect email contents

(such as S/MIME or PGP encryption) when sending sensitive data.

3. Anti-Phishing and Anti-Spam: Defining practices and tools to prevent

phishing attacks and block spam emails, which are commonly used to
distribute malicious content.

4. Malware Protection: Ensuring that emails are scanned for malware and
other malicious attachments that could harm systems or steal information.

5. Data Loss Prevention (DLP): Monitoring and controlling sensitive data

within email communication to prevent inadvertent or malicious data
leaks (such as personal, financial, or confidential business information).

6. Retention and Archiving: Setting guidelines for how long emails are
stored and how they are archived, to ensure compliance with legal,
regulatory, and operational requirements.

7. User Training: Educating employees on identifying suspicious emails,

safe email practices, and the consequences of not following security
protocols.

8. Incident Response: Creating procedures to handle security incidents

related to email, including how to report and mitigate any breaches or
attacks.

Corporate policies

Corporate policies are formal guidelines set by an organization to

govern its operations, ensure consistency, and promote compliance with
 legal, ethical, and regulatory standards. They provide clear rules for
employee behaviour, decision-making, and organizational processes.
Key elements of corporate policies typically include:

1. Purpose and Scope: Explains the policy’s objectives, who it applies to

(e.g., employees, contractors), and in what situations it should be
followed.

2. Code of Conduct: Establishes expected behaviours for employees, such

as honesty, integrity, and professionalism, to maintain a positive
organizational culture.

3. Compliance and Legal Standards: Ensures that the organization

adheres to relevant laws, regulations, and industry standards (e.g., labour
laws, environmental regulations, data privacy).

4. Operational Procedures: Provides clear instructions on how specific

processes should be carried out, like procurement, reporting, or customer
service.

5. Ethical Guidelines: Addresses moral principles guiding the company’s

actions, such as fairness, transparency, and corporate social responsibility.

6. Health and Safety: Establishes rules to ensure a safe and healthy work
environment for all employees, complying with safety regulations and
promoting wellness.

7. Employee Conduct and Discipline: Outlines acceptable and

unacceptable behaviours, as well as the consequences for violations (e.g.,
harassment, discrimination).

8. Risk Management: Identifies potential risks to the business and outlines

strategies for mitigating those risks, including financial, operational, and
reputational risks.
Sample security policies

Sample security policies are documents that provide guidelines and rules
for protecting an organization’s information, data, and assets. These
policies are designed to establish standards and procedures for
maintaining security across an organization’s operations.
Here are some common types of sample security policies:

1. Information Security Policy

 Purpose: Establishes the organization's overall approach to securing its
information systems and data.
 Content: Describes general objectives for protecting data, defines roles
and responsibilities, sets expectations for information handling, and
outlines security standards.

2. Acceptable Use Policy (AUP)

 Purpose: Defines acceptable and unacceptable behaviours regarding the
use of company-owned technology resources.
 Content: Specifies the usage of internet, email, company devices, and
software.

3. Password Management Policy

 Purpose: Outlines the requirements for creating and managing passwords
within the organization.
 Content: Specifies guidelines on password complexity, length,
expiration, and reuse policies.

4. Access Control Policy

 Purpose: Defines the methods and protocols for controlling who can
access information and systems within the organization.
 Content: Describes user roles, permissions, and authentication methods
to prevent unauthorized access.
5. Incident Response Policy
 Purpose: Provides a plan of action to detect, respond to, and recover
from security incidents.
 Content: Defines incident types, the reporting process, and actions to
take during a security breach.

6. Data Protection Policy

 Purpose: Addresses the protection and privacy of sensitive and personal
data.
 Content: Defines the types of sensitive data, handling procedures,
encryption methods, and data retention policies.

7. Remote Work Security Policy

 Purpose: Ensures the security of data and systems when employees are
working from remote locations.
 Content: Specifies security measures for VPN usage, device security, and
the use of personal devices for work purposes.

8. Email Security Policy

 Purpose: Addresses the risks associated with email communication, such
as phishing and malware.
 Content: Provides guidelines on identifying suspicious emails and
securing email accounts.

9. Physical Security Policy

 Purpose: Covers security measures to protect physical assets and data
centres.
 Content: Outlines security practices for physical access control,
surveillance, and visitor management.

10. Bring Your Own Device (BYOD) Policy

 Purpose: Provides guidelines for employees using personal devices for
work.
 Content: Specifies acceptable devices, security requirements, and remote
wipe capabilities for lost or stolen devices.