Information Security Policies

Security Policies and Frameworks

• A standard is not a written instruction provided by management that informs employees about proper behavior.
• Good security programs begin and end with policy.

Information Security Programs

• The ISSP (Information Security SSP) is not a plan that sets out the requirements that must be met by the information security blueprint or framework.
• A single, comprehensive ISSP document can cover all information security issues.

Policy Guidelines

• Each policy should contain procedures and a timetable for periodic review.
• A policy should not state that the company will protect employees who violate company policy or law using company technologies, or provide for their legal defense.

Policy Administration

• The policy administrator is responsible for the creation, revision, distribution, and storage of the policy.
• To remain viable, security policies must have a responsible individual, a schedule of reviews, a method for making recommendations for reviews, and policy issuance and planned revision dates.

Security Training and Certification

• Security training provides detailed information and hands-on instruction to employees to prepare them to perform their duties securely.
• Not every member of the organization's InfoSec department must have a formal degree or certification in information security.

Security Frameworks and Standards

• The security framework is not a more detailed version of the security blueprint.
• The complete details of ISO/IEC 27002 are not widely available to everyone.
• The ISO/IEC 27000 series is derived from an earlier standard, BS7799.

NIST Guidelines and Frameworks

• NIST 800-14's Principles for Securing Information Technology Systems can be used to ensure key elements of a successful effort are factored into the design of an information security program.
• NIST Special Publication 800-18 Rev. 1 provides templates for major application security plans and detailed methods for assessing, designing, and implementing controls and plans for applications of varying size.
• In 2016, NIST did not publish a new Federal Master Cybersecurity Framework to create a mandatory framework for managing cybersecurity risk for the delivery of critical infrastructure services at every organization in the United States.

Managerial Controls and Defense in Depth

• Managerial controls set the direction and scope of the security process and provide detailed instructions for its conduct.
• To achieve defense in depth, an organization must establish multiple layers of security controls and safeguards.

Strategic Planning and Security Policies

• An operational plan does not document the organization's intended long-term direction and efforts for the next several years (strategic plan does).
• Guidelines are not detailed statements of what must be done to comply with policy (standards are).
• A strategic information security policy is also known as an enterprise security policy, and sets the strategic direction, scope, and tone for all security efforts.