1
00:00:00,004 --> 00:00:03,004
- [Narrator] Security
professionals do a lot of writing.

2
00:00:03,004 --> 00:00:06,008
We need clearly written
guidance to help communicate to

3
00:00:06,008 --> 00:00:10,003
business leaders, and
users, and each other about

4
00:00:10,003 --> 00:00:13,003
security expectations
and responsibilities.

5
00:00:13,003 --> 00:00:15,009
In some cases we're setting
forth mandatory rules

6
00:00:15,009 --> 00:00:19,001
that everyone in the
organization must follow,

7
00:00:19,001 --> 00:00:23,000
while in other cases,
we're simply giving advice.

8
00:00:23,000 --> 00:00:25,002
Each of these roles requires communicating

9
00:00:25,002 --> 00:00:27,003
a little bit differently.

10
00:00:27,003 --> 00:00:30,005
That's where the Security Policy
Framework comes into play.

11
00:00:30,005 --> 00:00:33,009
Most security professionals
recognize a framework consisting

12
00:00:33,009 --> 00:00:36,002
of four different types of documents.

13
00:00:36,002 --> 00:00:41,008
Policies, standards,
guidelines, and procedures.

14
00:00:41,008 --> 00:00:44,008
Security policies are the
bedrock documents that provide

15
00:00:44,008 --> 00:00:46,005
the foundation for an organization's

16
00:00:46,005 --> 00:00:48,009
information security program.

17
00:00:48,009 --> 00:00:51,005
They are often developed
over a long period of time,

18
00:00:51,005 --> 00:00:54,000
and very carefully written to describe

19
00:00:54,000 --> 00:00:57,001
an organization's security expectations.

20
00:00:57,001 --> 00:01:00,005
Compliance with policies is
mandatory and policies are often

21
00:01:00,005 --> 00:01:04,004
approved at the very highest
levels of an organization.

22
00:01:04,004 --> 00:01:06,003
Because of the rigor involved
in developing security

23
00:01:06,003 --> 00:01:09,002
policies, authors should
strive to write them in a way

24
00:01:09,002 --> 00:01:11,002
that will stand the test of time.

25
00:01:11,002 --> 00:01:13,007
For example, statements like
"all sensitive information must

26
00:01:13,007 --> 00:01:17,002
be encrypted with AES-256 encryption."

27
00:01:17,002 --> 00:01:21,003
or "store all employee
records in room 226."

28
00:01:21,003 --> 00:01:23,003
are not good policy statements.

29
00:01:23,003 --> 00:01:26,000
What happens if the
organization switches encryption

30
00:01:26,000 --> 00:01:28,008
technologies or moves its records room?

31
00:01:28,008 --> 00:01:31,007
You'll need to go through
the rigorous policy approval

32
00:01:31,007 --> 00:01:35,008
process each time one of
those changes takes place.

33
00:01:35,008 --> 00:01:39,001
Instead, a policy might
make statements such as,

34
00:01:39,001 --> 00:01:43,003
"sensitive information must
be encrypted both at rest and

35
00:01:43,003 --> 00:01:47,001
in transit using technology
approved by the IT department."

36
00:01:47,001 --> 00:01:50,004
and "employee records must
be stored in a location

37
00:01:50,004 --> 00:01:52,004
approved by human resources."

38
00:01:52,004 --> 00:01:54,008
Those statements are
much more likely to stand

39
00:01:54,008 --> 00:01:56,002
the test of time.

40
00:01:56,002 --> 00:01:59,002
Security standards prescribe
the specific details

41
00:01:59,002 --> 00:02:02,005
of security controls that
the organization must follow.

42
00:02:02,005 --> 00:02:05,004
Standards derive their
authority from policy.

43
00:02:05,004 --> 00:02:09,004
In fact, it's likely that an
organization's security policy

44
00:02:09,004 --> 00:02:12,002
would include specific statements
giving the IT department

45
00:02:12,002 --> 00:02:15,007
authority to create and enforce standards.

46
00:02:15,007 --> 00:02:17,009
They're the place to include
things like the company's

47
00:02:17,009 --> 00:02:21,003
approved encryption protocols,
records storage locations,

48
00:02:21,003 --> 00:02:24,008
configuration parameters,
and other technical

49
00:02:24,008 --> 00:02:27,001
and operational details.

50
00:02:27,001 --> 00:02:29,002
Even though standards might
not go through as rigorous

51
00:02:29,002 --> 00:02:32,000
a development and approval
process as policies,

52
00:02:32,000 --> 00:02:35,007
compliance with them is still mandatory.

53
00:02:35,007 --> 00:02:39,001
When it comes to complex
configuration standards,

54
00:02:39,001 --> 00:02:43,005
organizations often draw
upon industry sources such as

55
00:02:43,005 --> 00:02:45,000
the standards available from the

56
00:02:45,000 --> 00:02:46,006
Center for Internet Security.

57
00:02:46,006 --> 00:02:50,001
These security standards
provide detailed configuration

58
00:02:50,001 --> 00:02:53,002
settings for a wide variety
of operating systems,

59
00:02:53,002 --> 00:02:58,002
network devices, application
platforms, and other components

60
00:02:58,002 --> 00:03:01,002
of the IT infrastructure.

61
00:03:01,002 --> 00:03:02,007
They provide a great starting point for an

62
00:03:02,007 --> 00:03:04,008
organization's security standards.

63
00:03:04,008 --> 00:03:08,008
Some organizations simply
use them as is, while others

64
00:03:08,008 --> 00:03:11,001
adopt these standards
with slight customizations

65
00:03:11,001 --> 00:03:14,003
or simply use them as a
reference when developing their

66
00:03:14,003 --> 00:03:18,006
own custom security standards.

67
00:03:18,006 --> 00:03:20,005
Guidelines are where security
professionals provide

68
00:03:20,005 --> 00:03:23,006
advice to the rest of the
organization, including

69
00:03:23,006 --> 00:03:26,004
best practices for information security.

70
00:03:26,004 --> 00:03:29,007
For example, a guideline might
suggest that employees use

71
00:03:29,007 --> 00:03:33,001
encrypted wireless networks
whenever they are available.

72
00:03:33,001 --> 00:03:35,005
There might be situations
where a traveling employee

73
00:03:35,005 --> 00:03:38,008
does not have access to an
encrypted network, so they can

74
00:03:38,008 --> 00:03:41,006
compensate for that by
using a VPN connection.

75
00:03:41,006 --> 00:03:44,006
Remember, guidelines are advice.

76
00:03:44,006 --> 00:03:48,007
Compliance with guidelines
is not mandatory.

77
00:03:48,007 --> 00:03:51,007
Security procedures are
step-by-step instructions that

78
00:03:51,007 --> 00:03:53,007
employees may follow when performing a

79
00:03:53,007 --> 00:03:55,009
specific security task.

80
00:03:55,009 --> 00:03:59,004
For example, the organization
might have a procedure for

81
00:03:59,004 --> 00:04:02,005
activating the incident response
team that involves sending

82
00:04:02,005 --> 00:04:06,003
an urgent SMS alert to team
members, activating a video

83
00:04:06,003 --> 00:04:09,009
conference, and informing
senior management.

84
00:04:09,009 --> 00:04:12,001
Depending upon the organization
and the type of procedure,

85
00:04:12,001 --> 00:04:15,003
compliance may be mandatory or optional.

86
00:04:15,003 --> 00:04:18,000
When you take the CISSP exam,
be sure that you know the

87
00:04:18,000 --> 00:04:20,005
differences between policies, standards,

88
00:04:20,005 --> 00:04:23,005
guidelines, and procedures.

89
00:04:23,005 --> 00:04:26,003
Specifically remember that
compliance with policies

90
00:04:26,003 --> 00:04:28,006
and standards is always mandatory.

91
00:04:28,006 --> 00:04:33,002
Complying with guidelines is
always optional and compliance

92
00:04:33,002 --> 00:04:36,000
with procedures can go
either way depending upon the

93
00:04:36,000 --> 00:04:40,002
organization and the specific
procedure in question.