Chapter 5 - 03 - Learn to Design and Develop Security Policies PDF

Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 Module Discuss Various Regulatory Frameworks, Laws, and Acts O \ 4 o ® Learn to Design and Develop Flow (7 y. Understand Information Security O Governance and Compliance Program «/ Security Policies \\\7 y/ / & \ Learn to Conduct Different Types of %/ Security and Awareness Training Copyright © by EC-CounciL All Rights Reserved. Reproduction is Strictly Prohibited Learn to Design and Develop Security Policies Organizations need to design and develop security policies and procedures to ensure availability, confidentiality, and integrity across the network. This section explains the need for a security policy, its characteristics, contents, and types of security policies. Module 05 Page 552 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 What is Security Policy? O A security policy is a well-documented set of plans, Asecurity Ts 7 processes, procedures, standards, and guidelines @ required to establish an ideal information security status of an organization ! 0O O Security Security policies are used to inform people on how to work in a safe and secure manner; they define and guide employee actions on how to deal with organization sensitive operation, data, or resources O The security policy is an integral part of an information security management program for any organization ﬁ 1 What is Security Policy? A security policy is a well-documented set of plans, processes, procedures, standards, and guidelines required to establish an ideal information security status of an organization. Security policies are used to inform people on how to work in a safe and secure manner; they define and guide employee actions on how to deal with organization sensitive operation, data, or resources. The security policy is an integral part of an information security management organization program for any Security policy is a high-level document, or set of documents, describing the security controls to implement in order to protect a company. It maintains confidentiality, availability, integrity, and asset values. Security policies form the foundation of a security infrastructure. Without them, it is impossible to protect the company from possible lawsuits, lost revenue, and bad publicity, or even basic security attacks. Such policies accomplish three goals: = Reduce or eliminate the legal liability to employees and third parties; = Protect confidential and proprietary information from theft, misuse, unauthorized disclosure, or modification; and ®== Prevent computing resource waste. A security policy comprises objectives, rules for behavior, and requirements to secure an organization’s network and computer systems. Security policies function as a connecting medium between the objectives and security requirements, as well as to help users, staff, and managers protect technology and information assets. The policy provides a baseline to acquire, configure, and audit computer systems and networks. Module 05 Page 553 Certified Cybersecurity Technician Copyright © by EG-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 A security policy defines a set of security tools for preventing attacks on the entire network in order to keep malicious users away from an organization and provide control over perilous users within an organization. Module 05 Page 554 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 Need for a Security Policy Provide consistent application of security principles throughout the @ Provide legal protection organization @ standards compliance Limit the organization’s exposure to external information threats ﬁtil;'::t;espond to security. Ensure information security @ = @. © nior managemen 5, commitment Outiine lin seniorin maintaining management's a ~— ~o~ Reduce the impact of a security incident Minimize the risk of a data breach secure environment Need for a Security Policy = The number of devices used across an organization is increasing, which is, in turn, = A security policy provides consistent application of security principles throughout the increasing the size and complexity of the information being transferred, networks being used, and storage space. At the same time, the likelihood of security threats originating from various vulnerabilities is increasing. A security policy enables an organization to combat such threats and protect it from losing information. company to ensure secure functioning of services. It ensures compliance to information security industry standards, building a trust-based relationship with clients. It helps limit a company’s exposure to external information threats, while indicating senior management’s commitment to maintaining a secure environment. = Further, security policy provides legal protection by defining what rules to use on the network, how to handle confidential information, and the proper use of encryption, which together reduce liability and exposure of an organization’s data. = Security polices reduce the risk of damaging security incidents vulnerabilities and predicting the threats before they occur. = They also comprise procedures and techniques to minimize the risk of an organization’s data leak or loss by adopting backup and recovery options. = Ensure information security standards compliance. = Enhance the overall data and network security. Module 05 Page 555 by identifying the Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 Advantages of Security Policies Enhanced Data and Network Security Risk Mitigation Monitored and Controlled Device Usage and Data Transfers @] @ Better Network Performance ( 0' m Quick Response to Issues and Lower D Downtime i < @ Reduction in Management Stress Levels < Q D cll. ANl Rights Reserved. Reproductionis Strictly Prohibit Advantages of Security Policies Enhanced Data and Network Security: Organizations implement a policy based on their network, which enhances their data security. It facilitates protection when sharing information among other systems on a network. Risk Mitigation: The risks involved from external sources are reduced by implementing and deploying security policy. If an employee follows the policy exactly, it becomes nearly impossible for an organization to lose its data and resources. Monitored and Controlled Device Usage and Data Transfers: Although policies are being implemented thoroughly by employees, administrators should regularly monitor the traffic and external devices used in the system. Monitoring and auditing the incoming and outgoing traffic should always be done on regular intervals. Better Network Performance: When security policies are implemented correctly and the network is monitored regularly, no unnecessary loads exist. The data transmission speed in the system increases, providing an overall performance enhancement. Quick Response to Issues and Lower Downtime: Policy deployment and implementation enables faster response rates when resolving network issues. Reduction in Management Stress Levels: The role of management becomes less stressful when policies are implemented. Every policy must be followed by every employee in an organization. If this occurs, management will be less burdened by potential malicious attacks on the network. Reduced Costs: If employees follow the policies correctly, the cost of each intrusion is reduced as well as the impact on an organization. Module 05 Page 556 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 Characteristics of a Good Security Policy O O Concise and Clear Realistic © O Usable Economically Feasible Understandable Consistent Procedurally Tolerable Legal Compliance Copyright © by EC-Council All Rights Reserved. Reproduction Is Strictly Prohibited. Characteristics of a Good Security Policy Features of a Good Security Policy: 1. Concise and Clear: A security policy needs to be concise and clear, which ensures easy deployment in the infrastructure. Complex policies become hard to understand and employees may not implement them as a result. 2. Usable: Policies must be written and designed, so they may be used easily across various sections of an organization. Well-written policies are easy to manage and implement. 3. Economically Feasible: Organizations must implement policies that are economical and enhance the security of an organization. 4. Understandable: Policies must be easy to understand and follow. 5. Realistic: Policies must be practical based on reality. Using fictional items in a policy will only hurt an organization. 6. Consistent: Organizations must have consistency when implementing their policies. 7. Procedurally Tolerable: Procedural policies should be employer-employee friendly. 8. Cyber and Legal Laws, Standards, Rules and Regulations Compliance: Any policy that is implemented must comply with all rules and regulations regarding cyber laws. Module 05 Page 557 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited.

Chapter 5 - 03 - Learn to Design and Develop Security Policies PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue