Security Policies and Procedures

Security frameworks

• NIST

• ISO

• TOGAF

• SABSA

• COBIT

• ITIL

Prescriptive Frameworks – Backed by regulations or compliance requirements.

• COBIT

• ITIL

• ISO

• PCI DSS

• Level of implementation:

  • First: risk assessments

  • Second: policies and procedures

  • Third: continuous monitoring

Risk Based Frameworks

• There is no universal framework that applies to everyone

• NIST is made up of:

  • Framework core: identify, protect, detect, respond, recover

  • Implementation tiers (maturity): partial, risk informed, repeatable, adaptive

  • Framework profiles (what do we need?)

Framework Contents

• Acceptable Use Policy

  • How you can use resources

  • Must be enforced

• Code of Conduct

  • Authorized job functions

  • Protect data

  • Follow requirements

  • Respect privacy

• Privacy

  • Expected but needs balance

  • Must be enforced

  • Surveillance for security assurance, monitoring data, or physical monitoring

• Ownership

  • You create the data, you own it

  • Data classification

  • Privileged users

• Backup Policy

  • Short term

  • Long term

  • Destruction

• Job related security.

  • Separation of duties

  • Job rotation

  • Mandatory vacation

  • Dual control

  • Least privilege

Corporate Policies

• Upper management

• Legal standpoint

• Department-based

Procedures – list of steps

• Examples

  • Compensating control

  • Continuous monitoring

  • Documentation

  • Control testing before implementation

  • Change management

  • Patching, updating

  • Retiring technology

Procedure Exceptions

• How do you handle procedure exceptions?

  • Document them

  • Who, what, reasons, risk assessment, duration, review