CISSPillsDOMAIN 3: Information Security Governance

and Risk Management# 3.05

CISSPills

Table of Contents Security Policy Framework Security Policy Framework Hierarchy Security Policy Standards Guidelines Procedures Baselines Data Classification

CISSPills

Security Policy Framework

In order to reduce the likelihood of a security failure, the information security implementation has to be somewhat formalised by implementing a Security Policy Framework (SPF). An SPF involves the creation of a hierarchical set of documents that at each level increase the level of details and cover specific information and issues.

CISSPills

Security Policy Framework Hierarchy

PoliciesStandards

GuidelinesProcedures

Strategic

Tactical

CISSPills

Security Policy

This is an overall general statement produced by the senior management to define the main security objectives and to outline the security framework of an organisation. It’s a strategic plan for implementing security and is used to: assign responsibilities; define roles; specify audit requirements; outline enforcement processes; indicate compliance requirements; define acceptable risk.The Security Policy is often used as a proof that management is exercising due care and is compulsory.Policies are written in broad terms, however more granularity is needed to support them and this is where standards, guidelines and procedures come into play.

CISSPills

Security Policy (cont’d) Organisational security policy: this focuses on issues relevant to every

aspects of an organisation. This is also referred to as master security policy; Issue-specific policy: this focuses on individual topics that the management

feels need more detailed explanations and attention to make sure a comprehensive structure is built (e.g. e-mails);

System-specific policy: this focuses on individual systems, or types of systems, and outlines how these should be protected (e.g. databases).

In addition to these focused types of policies, there are three overall categories of security policies: regulatory, advisory and informative. Regulatory policy: this type of policy ensures that the organisation is following

standards set by specific industry regulations (e.g. HIPAA, PCI-DSS, etc.); it’s very detailed and specific to a type of industry (e.g. Financial Services);

Advisory policy: this type of policy discusses behaviours and activities that are acceptable and defines consequence of violations;

Informative policy: this type of policy is designed to provide information or knowledge about a specific subject; it’s not enforceable, but rather teaches individuals about specific issues.

CISSPills

Standards

Standards are mandatory activities, actions or rules that help supporting and reinforce policies.They are tactical documents, which ensure that specific technologies, applications and parameters are applied in a consistent fashion (standardised) across the organisation.It is more granular than a policy and specify how protection should be implemented and followed.

CISSPills

Guidelines

Guidelines are the next tier in the SPF hierarchy and offer recommendation on how standards are implemented and serve as operational guides for both security professionals and users.Whereas standards are specific mandatory rules, guidelines are not compulsory.

CISSPills

Procedures

Procedures are the final element of the hierarchy; they provide detailed step-by-step documents that describe the exact actions necessary to implement a specific security mechanism, control or solution.The purpose of a procedure is to ensure the integrity of a business process: if everything is accomplished by following the detailed steps, then all the activities should be in compliance with policies, standards and guidelines.Procedures ensure standardisation of security across all systems.

CISSPills

Baselines

The term baseline can have two meanings: It can refer to a point in time configuration/status that is used as

a comparison for future changes; It can also refer to define the minimum level of protection

required.

CISSPills

Data Classification

Data Classification is the process of organising items, information, objects and so forth based on their need for secrecy, sensitivity or confidentiality.The reason for this categorisation is because securing any asset in the same way is not cost-effective; hence data classification is the practice by which it is possible ensuring that assets are protected proportionally to their level of criticality. Once data are categorised according to their sensitivity level, it is possible deciding what security controls are necessary to protect the different classification levels.

Data classification allows to follow a risk-based approach when it comes to asset protection, which means that the number and strength of controls deployed for an asset depends on its importance.

CISSPills

That’s all Folks!We are done, thank you for the interest! Hope you have enjoyed these pills as much as I have had fun writing them.For comments, typos, complaints or whatever your want, drop me an e-mail at:

cisspills <at> outlook <dot> comMore resources: Stay tuned on for the next issues; Join ”CISSP Study Group Italia” if you are preparing your exam.

Brought to you by Pierluigi Falcone. More info about me on

Contact Details