3/4/25, 4:45 PM UNIT 3

UNIT 3
What are Security Policies?

A security policy is a formal document that defines how an organization protects its
information, systems, and resources. It sets clear rules and responsibilities for
employees, contractors, and stakeholders.

What are Security Standards?

Security standards are specific, measurable requirements that implement the

policies. Standards are often technical and ensure consistency in how policies are
applied.

Importance of Security Policies and Standards

1. Guidance: Provide a framework for managing security risks.

2. Compliance: Ensure adherence to legal, regulatory, and contractual obligations.
3. Consistency: Standardize security measures across the organization.
4. Accountability: Define roles and responsibilities for everyone in the organization.

https://helix-stamp-628.notion.site/UNIT-3-14a39aa0e1ad8025a1f2fbe3c464b627 1/14
3/4/25, 4:45 PM UNIT 3

Criteria for designing a Security Policy

1. Dissemination (Distribution) – Spreading the Policy

• The policy should be shared with all employees so they know the rules.

• Example: A company emails all employees about the new password policy
requiring 12-character passwords.
2. Review (Reading) – Making Sure People Read It

• Employees should read and acknowledge the policy.

• Example: When logging into a company system for the first time, employees
must read and accept security guidelines before proceeding.
3. Comprehension (Understanding) – Ensuring Clarity

• The policy should be easy to understand, avoiding complex language.

• Example: Instead of saying, "Ensure multi-factor authentication (MFA) is

activated," it should say, "Use a password plus a verification code sent to
your phone."
4. Compliance (Agreement) – Following the Rules

• Employees should agree to follow the policy and understand the

consequences of violations.

• Example: An employee cannot access the company's cloud storage without

agreeing to the security terms.
5. Uniform Enforcement – Same Rules for Everyone

• The policy should apply to all employees equally, including senior

management.

• Example: If an employee is fired for leaking company data, a manager

should also face the same consequences if they do the same.

Security Blueprint

A Security Blueprint is a detailed framework or plan that organizations use to build

and maintain their information security programs. It acts as a guide to implement
security policies, controls, and procedures in alignment with business goals and
regulatory requirements.
Why is a Security Blueprint Important?

https://helix-stamp-628.notion.site/UNIT-3-14a39aa0e1ad8025a1f2fbe3c464b627 2/14
3/4/25, 4:45 PM UNIT 3

1. Alignment with Business Goals: Ensures that security measures support

organizational objectives.
2. Consistency: Provides a standardized approach to security across all
departments.
3. Risk Management: Helps identify and mitigate risks effectively.
4. Regulatory Compliance: Ensures adherence to legal and industry standards.

Key Components of a Security Blueprint

1. Security Framework:
A structured approach that provides guidelines for building security systems.
Examples include:

• NIST Cybersecurity Framework

• ISO/IEC 27001

• COBIT (Control Objectives for Information and Related Technology)

2. Policies and Procedures:
High-level rules and detailed instructions for managing security. Examples:

• Password policies.

• Incident response procedures.

3. Risk Management Strategy:
Plans for identifying, assessing, and mitigating risks. This includes:

• Risk assessment methodologies.

• Risk control strategies (e.g., mitigation, transfer).

4. Technology and Tools:
Tools and technologies to implement security measures, such as:

• Firewalls, antivirus software, and intrusion detection systems.

• Encryption tools for securing data.

5. Roles and Responsibilities:
Defines who is responsible for different security tasks, such as:

• IT administrators managing system configurations.

• Employees ensuring compliance with security policies.

https://helix-stamp-628.notion.site/UNIT-3-14a39aa0e1ad8025a1f2fbe3c464b627 3/14
3/4/25, 4:45 PM UNIT 3

6. Monitoring and Maintenance:

Ongoing processes to:

• Monitor security incidents.

• Update the blueprint based on evolving threats.

Steps to Develop a Security Blueprint

1. Understand Business Requirements:

Identify the organization’s goals and assets that need protection.
2. Select a Security Framework:
Choose a framework like NIST or ISO 27001 to guide implementation.
3. Conduct a Risk Assessment:
Identify potential risks and their impacts on business operations.
4. Develop Policies and Procedures:
Create rules and guidelines for implementing and enforcing security.
5. Implement Security Controls:
Deploy technical and administrative measures to address identified risks.
6. Train Employees:
Educate staff about their roles in maintaining security.
7. Monitor and Update:
Continuously monitor systems and update the blueprint as needed.

Benefits of a Security Blueprint

1. Proactive Approach: Helps organizations stay ahead of potential security threats.

2. Efficiency: Streamlines the implementation of security measures.
3. Scalability: Adapts to the changing needs and growth of the organization.
4. Compliance: Simplifies meeting regulatory and legal requirements.
By following a security blueprint, organizations can ensure a comprehensive and
effective approach to information security.

Security Education, Training, and Awareness (SETA)

https://helix-stamp-628.notion.site/UNIT-3-14a39aa0e1ad8025a1f2fbe3c464b627 4/14
3/4/25, 4:45 PM UNIT 3

SETA is a structured program that organizations use to educate employees about

security policies, practices, and potential risks. Its primary goal is to reduce human
error, enhance security culture, and ensure compliance with regulations.

Goals of SETA Programs

1. Reduce Risks: Minimize the likelihood of security incidents caused by negligence

or lack of awareness.
2. Compliance: Ensure employees follow legal and regulatory requirements.
3. Promote a Security Culture: Foster an environment where security is prioritized
by everyone.
4. Empower Employees: Equip employees with the knowledge to identify and
respond to security threats.

Comparative SETA Framework

Comparative SETA Framework(Security Education, Training, and Awareness) is a

model used in information security management to ensure employees understand
security policies and best practices. It consists of three levels:

https://helix-stamp-628.notion.site/UNIT-3-14a39aa0e1ad8025a1f2fbe3c464b627 5/14
3/4/25, 4:45 PM UNIT 3

1. Awareness ("What")

• Focus: Provides basic information to recognize security issues.

• Objective: Helps employees identify security risks.

• Teaching Method: Media-based, using videos, newsletters, posters, etc.

• Test Measure: True/false and multiple-choice questions to check recognition.

• Impact Timeframe: Short-term (temporary awareness).

Example:

• A company sends out email alerts about phishing scams and posters about
password security.
2. Training ("How")

• Focus: Develops skills to handle security-related situations.

• Objective: Helps employees apply security knowledge.

• Teaching Method: Practical instruction, including lectures, case studies, and

hands-on practice.

• Test Measure: Problem-solving exercises to assess application.

• Impact Timeframe: Intermediate (usable knowledge).

Example:

• Employees attend a hands-on cybersecurity workshop to learn how to

identify malware and secure sensitive files.
3. Education ("Why")

• Focus: Provides deep understanding and reasoning behind security policies.

• Objective: Helps employees think critically about security.

• Teaching Method: Theoretical instruction, including seminars and

background reading.

• Test Measure: Essay-based assessments to interpret security concepts.

• Impact Timeframe: Long-term (deep-rooted understanding).

Example:

• A university offers a cybersecurity course covering encryption, ethical

hacking, and risk management.

Components of a SETA Program

https://helix-stamp-628.notion.site/UNIT-3-14a39aa0e1ad8025a1f2fbe3c464b627 6/14
3/4/25, 4:45 PM UNIT 3

1. Security Education:

• Provides in-depth knowledge about security concepts and practices.

• Targeted at professionals responsible for managing security (e.g., IT

administrators, security analysts).

• Example: A course on advanced encryption techniques for cybersecurity

specialists.
2. Security Training:

• Focuses on teaching specific skills and procedures for handling security

threats.

• Example: Training employees on how to identify phishing emails or securely

manage passwords.
3. Security Awareness:

• Aims to educate all employees about basic security principles and the
importance of following policies.

• Example: Posters, videos, or emails explaining why using strong passwords is

essential.

Benefits of a SETA Program

1. Prevents Security Breaches: Educated employees can identify and report threats
early.
2. Enhances Compliance: Ensures adherence to legal and regulatory standards
(e.g., GDPR, HIPAA).
3. Improves Incident Response: Employees know how to act during security
events.
4. Cost-Effective: Reduces the financial impact of breaches by preventing them.

Real-World Examples of SETA Activities

1. Phishing Simulation:

• Send simulated phishing emails to employees and provide feedback based

on their responses.

https://helix-stamp-628.notion.site/UNIT-3-14a39aa0e1ad8025a1f2fbe3c464b627 7/14
3/4/25, 4:45 PM UNIT 3

2. Workshops:

• Host sessions on topics like creating strong passwords, avoiding malware,

and securely using USB drives.
3. Visual Reminders:

• Posters or digital signage with tips like "Think before you click" or "Lock your
screen when leaving your desk."
4. Role-Specific Training:

• Teach HR staff how to secure sensitive employee records.

• Train finance teams on recognizing invoice fraud.

Continuity Strategies

Continuity strategies are plans and practices designed to ensure that an organization
can continue its critical operations in the event of disruptions such as natural
disasters, cyberattacks, or system failures. These strategies focus on minimizing
downtime and reducing the impact of unforeseen events.

Goals of Continuity Strategies

1. Business Continuity: Ensure essential business functions operate during and

after a disruption.
2. Disaster Recovery: Recover IT systems, data, and infrastructure after a disaster.
3. Resilience: Build systems and processes capable of withstanding or quickly
recovering from disruptions.

Key Continuity Strategies

1. Risk Avoidance

• Definition: Eliminating activities or situations that pose a risk.

• Example: Avoid using outdated systems to reduce the risk of data breaches.

• Challenge: Not always practical, as avoiding risks may limit business

opportunities.

https://helix-stamp-628.notion.site/UNIT-3-14a39aa0e1ad8025a1f2fbe3c464b627 8/14
3/4/25, 4:45 PM UNIT 3

2. Risk Mitigation

• Definition: Reducing the impact of risks through proactive measures.

• Example: Installing backup power supplies to prevent data loss during power
outages.
3. Risk Transfer

• Definition: Shifting the responsibility for a risk to a third party.

• Example: Purchasing insurance to cover losses from cyberattacks or natural

disasters.
4. Risk Acceptance

• Definition: Acknowledging a risk and accepting its potential consequences

without taking action.

• Example: Deciding not to invest in additional security measures for a low-

impact, low-likelihood threat.

Components of Continuity Strategies

1. Business Continuity Plan (BCP)

• A detailed plan for maintaining essential business functions.

• Example: A logistics company ensures supply chain operations continue

despite a transport strike.
2. Disaster Recovery Plan (DRP)

• A specific plan to recover IT infrastructure and data after an incident.

• Example: Restoring servers and databases after a ransomware attack.

3. Redundancy

• Having backup systems, equipment, or personnel to take over if the primary

systems fail.

• Example: Using cloud backups to store critical data.

4. Incident Response Plan (IRP)

• A plan for detecting, responding to, and managing security incidents.

• Example: A predefined protocol for responding to a data breach.

What is a Firewall?

https://helix-stamp-628.notion.site/UNIT-3-14a39aa0e1ad8025a1f2fbe3c464b627 9/14
3/4/25, 4:45 PM UNIT 3

A firewall is a security system that protects computers and networks by filtering

incoming and outgoing traffic. It acts as a barrier between a trusted system (your
computer or network) and untrusted systems (such as the internet).
Firewalls work by following a set of rules that determine which data is allowed and
which should be blocked. These rules help prevent hackers, malware, and
unauthorized access while allowing safe communication.

Importance of Firewalls:
1. Blocks Hackers & Cyberattacks – Prevents unauthorized access to your system.
2. Stops Viruses & Malware – Filters out harmful software before it reaches your
computer.
3. Controls Network Traffic – Allows only safe data while blocking harmful or
unnecessary traffic.
4. Protects Sensitive Information – Stops cybercriminals from stealing personal or
business data.
Real-Life Examples of Firewalls:

• Your Home Wi-Fi Router: Most routers have built-in firewalls to block harmful
websites and unauthorized devices.

• Corporate Network Security: Companies use firewalls to protect their

employees' computers from hackers.

• Antivirus Software: Some security programs include firewalls to stop harmful

downloads and suspicious connections.

Firewall Processing Modes

Firewalls work in different ways to protect computers and networks. Here are the five
main types, explained simply with examples.

1. Packet Filtering Firewall (Basic Security Check)

How it works:

• Think of it as a security guard at a gate who checks IDs before letting people in.

https://helix-stamp-628.notion.site/UNIT-3-14a39aa0e1ad8025a1f2fbe3c464b627 10/14
3/4/25, 4:45 PM UNIT 3

• It examines data packets (small pieces of information sent over the internet) and
allows or blocks them based on rules like IP addresses, ports, and protocols.
Example:

• A company blocks all incoming traffic except from specific IP addresses to

prevent hackers from connecting.

• Your home Wi-Fi router may have basic firewall rules to block suspicious traffic.
Pros: Fast and simple.
Cons: Doesn’t deeply inspect data, so some threats can get through.

2. Application Gateway (Proxy Server – Advanced Security Check)

How it works:

• Acts like a middleman between your device and the internet.

• Instead of directly connecting to websites, your request first goes through the
firewall, which checks it for security threats.
Example:

• A school uses a proxy server to block access to social media websites.

• A company uses it to prevent employees from downloading harmful files.

Pros: Provides deep inspection of internet traffic.
Cons: Can be slow because it processes every request.

3. Circuit Gateway (Secure Connection Setup)

How it works:

• Think of it as a telephone operator that sets up a secure connection between

two people but doesn’t listen to their conversation.

• It controls network connections but does not inspect the data inside.
Example:

• Used in VPNs to create a secure connection between a remote worker and their
company’s office network.
Pros: Good for securing connections.
Cons: Doesn’t check data for threats.

https://helix-stamp-628.notion.site/UNIT-3-14a39aa0e1ad8025a1f2fbe3c464b627 11/14
3/4/25, 4:45 PM UNIT 3

4. MAC Layer Firewall (Security Based on Device Identity)

How it works:

• Works like a VIP list at a club – only devices with approved MAC addresses
(unique device IDs) are allowed in.
Example:

• A company allows only company-issued laptops to access their Wi-Fi, blocking

all personal devices.
Pros: Strong security for controlling which devices can connect.
Cons: Hard to manage in large networks.

5. Hybrid Firewall (Combination of Multiple Firewalls)

How it works:

• Think of it as a security system with multiple layers – using different firewall

types together for stronger protection.
Example:

• A company combines a packet filtering firewall to block general threats, a proxy

server to filter web traffic, and a MAC layer firewall to control which devices can
connect.
Pros: Best security because it covers different threats.
Cons: More complex to set up and manage.

Firewall Type Simple Explanation Example Use Case St

Packet Filtering Checks basic info (IP, port) Wi-Fi router blocking harmful Ba
traffic

Application Gateway (Proxy) Middleman that inspects data Blocking social media at school St

Circuit Gateway Secures connection, but doesn’t VPNs for remote work Go
inspect data

MAC Layer Blocks unauthorized devices Only company laptops on office St

Wi-Fi

Hybrid Combines multiple firewalls Enterprise security systems Be

https://helix-stamp-628.notion.site/UNIT-3-14a39aa0e1ad8025a1f2fbe3c464b627 12/14
3/4/25, 4:45 PM UNIT 3

VPN (Virtual Private Network)

A VPN (Virtual Private Network) is a tool that helps protect your online privacy by
encrypting your internet connection and hiding your IP address. It creates a secure
and private tunnel for your data, making it harder for hackers, websites, or even
your internet provider to track what you're doing online.

How Does a VPN Work?

Imagine you're sending a letter through a secret tunnel instead of the regular mail
system. A VPN does something similar for your internet traffic:
1. Hides Your IP Address – Instead of showing your real location, a VPN makes it
look like you're browsing from another place.
2. Encrypts Your Data – Converts your internet traffic into unreadable code, so
hackers or snoopers can't see it.
3. Bypasses Restrictions – Helps you access blocked websites and services, such as
Netflix libraries from other countries or sites restricted in certain locations.
Importance of VPN:

• Protects Privacy – Stops websites, advertisers, and hackers from tracking your
online activity.

• Secures Public Wi-Fi – Prevents data theft when using Wi-Fi in cafes, airports, or
hotels.

• Bypasses Censorship & Geo-Restrictions – Lets you access websites and content
unavailable in your country.

• Safer Online Banking & Shopping – Encrypts financial transactions to protect

your sensitive data.

Physical Design of VPNs

A VPN (Virtual Private Network) is primarily a software-based technology, but its

physical design includes various hardware components that enable secure
communication. The physical infrastructure of a VPN consists of

https://helix-stamp-628.notion.site/UNIT-3-14a39aa0e1ad8025a1f2fbe3c464b627 13/14
3/4/25, 4:45 PM UNIT 3

• Client devices

• VPN routers

• VPN servers

• Firewalls

• Encryption hardware.

1. User Side (Initiates VPN Connection)

• User Device: This could be a laptop, phone, or any device that connects to
the VPN.

• VPN Router: Encrypts data before sending it over the network.

• Encrypted Data: The user’s internet traffic is protected and sent securely.
2. Security Layer (Protects the Network)

• Firewall: Filters traffic, blocking unauthorized access or threats.

• Traffic Filtering: Ensures only valid requests pass through the firewall.
3. Server Side (Processes and Forwards Data)

• VPN Server: Decrypts the data and routes it to its destination.

D dD Th d i i i i i lf b f hi h

https://helix-stamp-628.notion.site/UNIT-3-14a39aa0e1ad8025a1f2fbe3c464b627 14/14