modulo 10 Security Policies

preface (1/2)

Security Policies

A security policy serves as a guiding document that outlines an organization's approach to safeguarding its systems, networks, data, and assets. It sets the standards and expectations for employees, defines their roles and responsibilities, and provides a framework for mitigating risks and protecting against security breaches.

preface (2/2)

At the end of this module, you have reached the following goals

• You know the purpose and importance of a security policy
• You know how you can write a good security policy
• You know the characteristics of a Good and Effective Security Policy
• You have seen some examples of security policies

Security policy

Security policies have different purposes, we give two examples.

• Employees often represent the weakest link in an organization's security, inadvertently clicking on malicious links or attachments, sharing passwords, or neglecting to encrypt sensitive files.
• To address this vulnerability, it is essential to establish a comprehensive cybersecurity policy that outlines each employee's responsibilities in protecting systems and data.
• When there is a cyber attack in your organization, everyone of the IT team, communication team, management team,...should know what to do
• In a security policy, you can describes these different roles so that it is clear for everyone

What is a security policy?

• A security policy is a collection of standardized practices and procedures aimed at safeguarding a business's network from potential threats.
• It establishes general security expectations, roles, and responsibilities within the organization, while also addressing specific areas of cybersecurity, such as antivirus software usage and cloud application guidelines.

Why is a security policy important?

To make everyone in the organization aware of the rules and procedures that must be followed It emphasizes the need for compliance from every individual in the company and clearly states the consequences of non-compliance

Why is there a Need for Security Policies?

Security policies in the workplace are not just optional but essential

• to ensure the security of all parties involved, including business owners, partners, and clients.
• potential security violations can be addressed with appropriate solutions and corresponding penalties.
• empower business owners to take necessary actions and precautions when faced with security threats
• they minimize risks and reduce liability for the organization.

Development and update

The development and updates to a security policy are typically led by the Chief Information Security Officer (CISO). However, it is essential for the CISO to collaborate with executives from other departments to ensure that policies are comprehensive and up-to-date. A good security policy needs to have some characteristics, we give an overview in the following slides.

Characteristics of a Good and Effective Security Policy (1/7)

A good and effective security policy begets privacy.

Characteristics of a Good and Effective Security Policy (2/7)

A good and effective security policy of a company demonstrates a commitment to considering and prioritizing the interests of their business partners and clients

Characteristics of a Good and Effective Security Policy (3/7)

A good and effective security policy aligns with local and national laws, ensuring the company's compliance and resilience in the face of potential threats.

Characteristics of a Good and Effective Security Policy (4/7)

A good and effective security policy is regularly updated, ensuring that every individual within the company remains informed.

Characteristics of a Good and Effective Security Policy (5/7)

A good and effective security policy is characterized by its clarity and level of detail.

Characteristics of a Good and Effective Security Policy (6/7)

A good and effective security policy places emphasis on people rather than solely relying on tools and applications.

Characteristics of a Good and Effective Security Policy (7/7)

A good and effective security policy is both practical and enforceable.

Acceptable use policy (AUP)

An AUP is used to specify the restrictions and practices that an employee using organizational IT assets must agree to in order to access the corporate network or systems. It is a standard onboarding policy for new employees, ensuring that they have read and signed the AUP before being granted a network ID A template for the AUP policy template is available at SANS for your use.

https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/bltf1b7f26fcac01500/5e9dd4b5c492412a1bbc1601/acceptable_use_policy.pdf

Data breach response policy

The goal of the data breach response policy is to describe the process of handling an incident and remediating the impact on business operations and customers. This policy typically defines staff roles and responsibilities in handling an incident, standards and metrics, incident reporting, remediation efforts, and feedback mechanisms. A template for the data breach response policy is available at SANS for your use.

https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/bltab7d19ca9100e50e/5e9ddae7674ec260f325c3ca/data_breach_response.pdf

Disaster recovery plan policy

A disaster recovery plan is developed as part of the larger business continuity plan, which includes both cybersecurity and IT teams’ recommendations. The CISO and assigned teams will then manage an incident through the data breach response policy. However, the business continuity plan is activated only when the incident has a significant impact on the organization. A template for the disaster recovery plan is available at SANS for your use.

https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt3cf8b9a0b2e45133/5e9ddb9ab1704560004196b5/disaster_recovery_plan_policy.pdf

Remote access policy

According to an IBM study, remote work during COVID-19 increased data breach costs in the United States by $137,000. Organizations can implement a remote access policy that outlines and defines procedures to remotely access the organization’s internal networks. Organizations require this policy when there are dispersed networks with the ability to extend into unsecured network locations, such as home networks or coffee shops.

Access control policy

An access control policy (ACP) defines the standards for user access, network access controls, and system software controls. Additional supplementary items often include techniques for monitoring how systems are accessed and used, how access is removed when an employee leaves the organization, and how unattended workstations should be secured.

conclusion

Security policies are important for an organization because they:

• Establish guidelines and standards for protecting systems, data, and assets.
• Mitigate risks and vulnerabilities.
• Ensure compliance with legal and regulatory requirements.
• Foster a security-conscious culture.
• Define roles and responsibilities for employees.
• Help maintain trust and confidence among stakeholders.
• Provide a framework for incident response and recovery.
• Enhance overall security posture and resilience against threats.
• …