Jet's Notes

Search

SearchSearch

15-policies-standards-practices

Sep 22, 2023, 2 min read

news

  • apple securit flaw for iphones ipads and macs
  • chrome patch actively exloited zero day
  • github blighted by researcher who created thousands of malicious projects
  • russian cyber attacks of lockheed martin
    • armed forces hack into HIMARS

Policies

Defn: a plan or course of action to influence and determine decisions

  • high level rules regarding operations of organisation
  • policies state the management intent and will
  • governments, businesses, political parties, universities etc

provide roadmap for day-to-day operations

  • organisation internal law
    • also comply with actual law
  • important for resolution of legal disputes
    • provide accountability
    • can protect org and employees
  • ensure consistency
    • dont often change or deteriorate when staff changes
  • evidence of quality control, internal audits etc

good policies

are properly

  • disseminated
  • read
  • understood
  • agreed-to
  • uniformly enforced

and help us to answer these questions

  • what info should be collected
  • how should it be stored
  • who is responsible for managing it
  • who can access it
  • what info should be published
  • how long should it be kept/maintained
  • when should it be discarded

example

Revealing Information To Prospective Employee Policy: Information systems technical details, such as network addresses, network diagrams, and security software employed, must not be revealed to job applicants until they have signed a confidentiality agreement and also have been hired or retained

Procedures

Defn: step by step descriptions of what employees must do to achieve a certain goal (as specified by a policy)

  • must be kept separate from policies
  • keeping them together will create a complex document that will (likely) not be read

policy and procedure pyramid|400

Standards

The ISO 27000 is a global standard to build a Information Security Management System (ISMS)

ISO standards

iso standards chart (2013)|400

ISO/IEC 27002:2022|400

IS measurement model - ISO 27004

  • monitoring
  • measurement
  • analysis
  • evaluation

IS measurement diagram|400 IS measurement and ISMS integration diagram|400

Capability maturity model integration CMMI

CMMI diagram|400

Practices

Defn: detailed and repeateable ways of complying to a standard (and to a policy)

diff with procedures is that a proceduure contains a step by step method on how to complete a certain task

examples

id badges example|400 temp badges example|400 badge controlled acces example|400

Info sec audit

  • Organisation (Is there a security policy?)
  • Employee Security Focus (Training, Recruitment)
  • Change Management Network Security (Router/Firewall, VPN)
  • Application Security (App Dev., Data Security)
  • System Security (Server Vulnerability & Hardening)
  • Identity Management (Account & Password Management)
  • Event Management (Incident Response)
  • Asset Security (Asset Inventory, Laptop Security, Software Management)

Graph View

Backlinks