Wednesday, April 9, 2008

Policies, Procedures, Standards, Baselines and Guidelines

The senior manager has to protect the computers and information the most cost-effective manner possible by a Risk Management.
He defines the scope of security, what is expected from employees and the consequences of noncompliance will be.
A security program includes: Policies, Procedures, Standards, Baselines and Guidelines

The Policies are the strategy and procedures, standards, baselines and guidelines the tactics. Procedures are the lowest level in the policy chain


Security Policy


The policy provides the fundation, procedures, standards, baselines and guidelines are the security framework.

There are thre categories or types of policies:

Regulatory


Ensures that organization is following the standards by a specific industry or law.

Advisory


Strongly suggest certain types of behaviors and activities.

Informative


Inform about some topics, is not enforceable policy but is to teach people.


The security policies are:

Organizational Security Policy


- How security progam will be set up.
- program's goals
- assigns responsibilities
- strategic and tactical value of security
- how enforcement should be carried.

Organizational security policy provides scope an direction for all future security activities within the organization and define the amount of risk the senior management is willing to accept.

Issue-specific policies


This policies are more detailed, because policies provide direction and structure for the staff.

For example: email security policy

System-specific policy


System policies includes: Computers, Networks, Application and Data.

- approved software list.
- how to configure firewalls.
- how databases have to be protected.
and o on.

More granularity is needed in this kind of policies.

Standards


Mandatory rules.
Standards and baselines achieve consistency in security implementation.

Baselines


Provide the minimum security level necessary throughout the organization,
for ex: At all workstations of the company, at least C2 level is required.

Guidelines


Recommended actions and operations to the staff and users when a specific standard doesn't apply.
Guidelines are flexible.

Procedures


Tasks detailed step by step to achieve certain goal.
Procedures spell out how the policy, standards, and guidelines will actually be implemented.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)