Security professionals do a lot of writing. We need clearly written guidance to help communicate to business leaders and users, and each other about security expectations and responsibilities. In some cases we’re setting forth mandatory rules that everyone in the organization must follow, while in other cases we’re simply giving advice. Each of these roles requires communicating, a little bit differently. That’s where the Security Policy Framework comes into play. Most security professionals recognize a framework consisting of four different types of documents. Policies, standards, guidelines and procedures. Security policies are the bedrock documents that provide the foundation for an organization’s information security program. They are often developed over a long period of time, and are very carefully written to describe an organization’s security expectations. Compliance with policies is mandatory and policies are often approved at the very highest levels of an organization. Because of the rigor involved in developing security policies authors should strive to write them in a way that will stand the test of time. For example, statements like, “All sensitive information must be encrypted “with a AES-256 encryption.”, or “Store all employee records in room 225.”, are not good policy statements. What happens if the organization switches encryption technologies or moves its records room? Instead of policy might make statements like, “Sensitive information must be encrypted, “both at rest, and in transit “using technology approved by the IT Department.”, or “Employee records must be stored “in a location approved by Human Resources.” These statements are much more likely to stand the test of time. Security Standards prescribe the specific details of security controls that the organization must follow. Standards derive their authority from policy. In fact it’s likely that an organization’s security policy would include specific statements giving the IT Department authority to create and enforce standards. Standards are the place to include things like the company’s approved encryption protocols, record storage locations, configuration parameters and other technical and operational details. Even though standards might not go through as rigorous a processes as policies, compliance with them is still mandatory. When it comes to complex configuration standards, organizations, often draw upon industry sources such as the standards available from the Center for Internet Security. These security standards provided detailed configuration settings for a wide variety of operating systems, network devices, application platforms and other components of the IT infrastructure. They provide a great starting point for an organization’s own security standards. Some organizations simply use them as is, while others adopt these standards with slight customizations or simply use them as a reference when developing their own custom security standards. Guidelines are where security professionals provide advice to the rest of the organization, including best practices for information security. For example, a guideline might suggest that employees use encrypted wireless networks whenever they are available. There might be situations where a traveling employee does not have access to an encrypted network, so they can compensate for that by using a VPN connection. Remember that guidelines are advice and compliance with guidelines is not mandatory. Procedures are step-by-step instructions that employees may follow when performing a specific security task. For example, the organization might have a procedure for activating the incident response team that involves sending an urgent SMS alert to team members activating a video conference and informing senior management, Depending upon the organization and the type of procedure, compliance may be mandatory or optional. When you take the exam, be sure that you keep the differences between policies, standards, guidelines and procedures straight, specifically, remember that compliance with policies and standards is always mandatory. Complying with guidelines is always optional and compliance with procedures can go either way depending upon the organization, and the specific procedure in question.
Policies form the foundation of any information security program, and having strong data security policies is a critical component of your efforts to protect information. Data security policies and procedures play several important roles in an organization. No matter what specific issue a policy or procedure covers, it should meet several key criteria. It should provide the foundational authority for your data security efforts, adding legitimacy to your work and providing the hammer, if it’s needed, to ensure compliance. The policy should also offer clear expectations to everyone involved in data security by explaining what data must be protected and the controls that should be used to protect that data. It should also provide guidance on the appropriate paths to follow when requesting access to data for business purposes and offer an exception process for formally requesting policy exceptions when they’re necessary to meet business requirements. Let’s take a look at a few of the key issues that your data security policy should cover following the principles that I just described. Data classification policies describe the security levels of information used in an organization and the process for assigning information to a particular classification level. These classifications are assigned based upon both the sensitivity of information and the criticality of that information to the enterprise. For example, the military uses the familiar top secret, secret, confidential, and unclassified classification scheme, while a business might use friendlier terms to accomplish the same goal, such as highly sensitive, sensitive, internal, and public. Data classification policies are extremely important because these classifications are used as the basis for other data security decisions. Data storage is also a key component of security policy. Data storage policies should explain to users the appropriate storage locations for data of varying classification levels. For example, a policy might restrict the use of cloud storage solutions for highly sensitive information. They should also include access control requirements for stored information, including the process used to gain access to data and the mechanisms used to enforce access controls. The data storage policy should also include the encryption requirements for information at different classification levels and in different storage environments. For example, an organization might allow the unencrypted storage of information on hard drives located in their own data center, but require encryption for all other storage locations, such as cloud services or employee laptops. Data transmission policies protect data in motion. Data is especially vulnerable when it’s being transmitted over a network because it’s susceptible to eavesdropping attacks. Therefore, data transmission policies should cover what data may be transmitted over different kinds of networks and under what authority. They should also include the use of encryption to protect information in transit on public and private networks and the appropriate transmission mechanisms for sensitive information, such as the types of information that may leave corporate networks without special permission. Finally, data lifecycle policies provide important guidance concerning the end-of-life process for information. This is important because information may retain sensitivity even after the organization no longer requires it. Data lifecycle policies should address at least two important issues. First, data retention policies should describe how long an organization will keep different data elements. This may include a minimum retention period, such as retaining all tax-related records for seven years. It may also include a maximum retention period, stating, for example, that customer credit card information should only be retained for the length of time necessary to complete the transaction. Data retention policies limit an organization’s risk exposure by ensuring the data is kept for as long as it is needed, but no longer. These policies affect both hardware and personnel, and should apply equally to electronic and paper records. Data retention policies should also cover the proper disposal of data, including the wiping techniques used to securely erase hard drives, flash drives, and other storage media before they are thrown away, recycled, or otherwise discarded. This is extremely important because of data remanence issues. Simply deleting files or formatting a hard disk is not sufficient to remove all traces of data from a device. Security administrators must use specialized tools to securely wipe storage devices and prevent the future retrieval of information believed to be deleted. In the world of cloud computing, security policies take on special importance. Policies, guidelines, and standards should provide users with clear guidance on what information may be stored and processed in the cloud. These policies should also clearly describe the process that the organization follows when choosing to review and approve a new cloud service for use.