Home > Articles

Cybersecurity Policy Organization, Format, and Styles

In this chapter, we go over cybersecurity policies in the private sector, from guiding principles, policy, standards, procedures, and guidelines, as well as adjunct plans and programs. Most importantly, you will learn how a well-constructed policy employs plain language to deliver the intended meaning.

This chapter is from the book

In Chapter 1, “Understanding Cybersecurity Policy and Governance,” you learned that policies have played a significant role in helping us form and sustain our social, government, and corporate organizations. In this chapter, we begin by examining the hierarchy and purpose of guiding principles, policy, standards, procedures, and guidelines, as well as adjunct plans and programs. Returning to our focus on policies, we examine the standard components and composition of a policy document. You will learn that even a well-constructed policy is useless if it doesn’t deliver the intended message. The end result of complex, ambiguous, or bloated policy is, at best, noncompliance. At worst, negative consequences result as such policies may not be followed or understood. In this chapter, you will be introduced to “plain language,” which involves using the simplest, most straightforward way to express an idea. Plain-language documents are easy to read, understand, and act on. By the end of the chapter, you will have the skills to construct policy and companion documents. This chapter focuses on cybersecurity policies in the private sector and not policies created by governments of any country or state.

Policy Hierarchy

As you learned in Chapter 1, a policy is a mandatory governance statement that presents management’s position. A well-written policy clearly defines guiding principles, provides guidance to those who must make present and future decisions, and serves as an implementation roadmap. Policies are important, but alone they are limited in what they can accomplish. Policies need supporting documents to give them context and meaningful application. Standards, baselines, guidelines, and procedures each play a significant role in ensuring implementation of a governance objective. The relationship between the documents is known as the policy hierarchy. In a hierarchy, with the exception of the topmost object, each object is subordinate to the one above it. In a policy hierarchy, the topmost objective is the guiding principles, as illustrated in Figure 2-1.

FIGURE 2.1 Policy Hierarchy

Cybersecurity policies should reflect the guiding principles and organizational objectives. This is why it is very important to communicate clear and well-understood organizational objectives within an organization. Standards are a set of rules and mandatory actions that provide support to a policy. Guidelines, procedures, and baselines provide support to standards. Let’s take a closer look at each of these concepts.

Standards

Standards serve as specifications for the implementation of policy and dictate mandatory requirements. For example, you might have a remote worker policy that states the following:

  • This policy ensures that all employees understand their obligations to maintain a secure, productive, and efficient work environment while working from a remote location.

  • This policy applies to all employees who are approved to work remotely, either on a full-time, part-time, or temporary basis.

  • Employees must be reachable via phone, email, or video conferencing during core work hours.

  • Company-issued equipment should be used for work purposes only and should be maintained in a secure manner.

  • Employees must adhere to the organization’s data security policy, including but not limited to, use of the VPN, use of approved cloud services, secure data transfer, and storage solutions.

The remote worker standard would then dictate the required characteristics, such as the following:

  • MFA must be enabled for all accounts accessing corporate resources.

  • All devices used for remote work must have up-to-date anti-malware software installed.

  • Laptops and workstations used for remote work must have full-disk encryption enabled.

  • No sensitive data should be stored locally unless approved and encrypted. Use corporate cloud storage solutions when possible.

  • Only software approved by the IT department may be installed on work devices.

  • Keep all operating systems and applications updated with the latest security patches.

  • Remote devices and activity may be audited periodically for compliance with this standard.

  • Failure to adhere to this standard may result in disciplinary actions, as described in the Remote Work Policy.

Another example of a standard is a common configuration of infrastructure devices such as routers and switches. An organization may have dozens, hundreds, or even thousands of routers and switches, and it might have a “standard” way of configuring authentication, authorization, and accounting (AAA) for administrative sessions. It might use TACACS+ or RADIUS as the authentication standard mechanism for all routers and switches within the organization.

As you can see, a policy represents expectations that are not necessarily subject to changes in technology, processes, or management. A standard, on the other hand, is very specific to the infrastructure.

Standards are determined by management, and unlike policies, they are not subject to authorization by the board of directors. Standards can be changed by management as long as they conform to the intent of the policy. A difficult task of writing a successful standard for a cybersecurity program is achieving consensus by all stakeholders and teams within an organization. In addition, a standard does not have to address everything that is defined in a policy. Standards should be compulsory and must be enforced to be effective.

Baselines

A baseline serves as a standard guideline or set of specifications that is applicable to a particular category or group within an organization. These groups can be defined by different factors such as the platform (including specific operating systems and their versions), device type (like laptops, servers, desktops, routers, switches, firewalls, and mobile devices), ownership status (whether devices are employee-owned or corporate-owned), and location (such as onsite or remote workers).

The main purpose of establishing baselines is to ensure uniformity and consistency across the organization’s technological environment. For instance, in the context of a policy for remote workers, a baseline might require that all Windows devices used by remote employees adhere to a specific Active Directory Group Policy configuration. This standard configuration is used to technically enforce security requirements, ensuring that all devices within this group meet a consistent level of security compliance. This approach helps in managing and securing IT resources effectively, particularly in diverse and distributed environments.

Guidelines

Guidelines are best thought of as teaching tools. The objective of a guideline is to help people conform to a standard. In addition to using softer language than standards, guidelines are customized for the intended audience and are not mandatory. Guidelines are akin to suggestions or advice. A guideline related to the remote worker standard in the previous example might read like this:

  • Use MFA all the time. MFA is a security measure that requires you to provide two or more forms of identification before you can access your account. This usually means entering your password (something you know) plus a second form of identification—like a code sent to your phone (something you have) or a face recognition scan (something you are).

  • Store your device in a secure place when it is not in use to minimize the risk of theft or unauthorized access.

  • Regularly back up important files to the corporate cloud storage solution, not to personal cloud or local storage.

  • Use secure methods to delete sensitive information from your device rather than just moving files to the recycle bin.

Guidelines are recommendations and advice to users when certain standards do not apply to the environment. Guidelines are designed to streamline certain processes according to best practices and must be consistent with the cybersecurity policies. At the same time, guidelines often are open to interpretation and do not need to be followed to the letter.

Procedures

Procedures are instructions for how a policy, a standard, a baseline, and guidelines are carried out in a given situation. Procedures focus on actions or steps, with specific starting and ending points. There are four commonly used procedure formats:

  • Simple step: Lists sequential actions. There is no decision making.

  • Hierarchical: Includes both generalized instructions for experienced users and detailed instructions for novices.

  • Graphic: Uses either pictures or symbols to illustrate the step.

  • Flowchart: Used when a decision-making process is associated with the task. Flowcharts are useful when multiple parties are involved in separate tasks.

Procedures should be well documented and easy to follow to ensure consistency and adherence to policies, standards, and baselines. Like policies and standards, they should be well reviewed to ensure that they accomplish the objective of the policy and that they are accurate and remain relevant.

Plans and Programs

The function of a plan is to provide strategic and tactical instructions and guidance on how to execute an initiative or how to respond to a situation, within a certain time frame, usually with defined stages and with designated resources. Plans are sometimes referred to as programs. For our purposes, the terms are interchangeable. Here are some examples of information security–related plans we discuss in this book:

  • Vendor management plan

  • Incident response plan

  • Business continuity plan

  • Disaster recovery plan

Policies and plans are closely related. For example, an incident response policy generally includes the requirement to publish, maintain, and test an incident response plan. Conversely, the incident response plan gets its authority from the policy. Quite often, the policy will be included in the plan document.

sale-70-410-exam    | Exam-200-125-pdf    | we-sale-70-410-exam    | hot-sale-70-410-exam    | Latest-exam-700-603-Dumps    | Dumps-98-363-exams-date    | Certs-200-125-date    | Dumps-300-075-exams-date    | hot-sale-book-C8010-726-book    | Hot-Sale-200-310-Exam    | Exam-Description-200-310-dumps?    | hot-sale-book-200-125-book    | Latest-Updated-300-209-Exam    | Dumps-210-260-exams-date    | Download-200-125-Exam-PDF    | Exam-Description-300-101-dumps    | Certs-300-101-date    | Hot-Sale-300-075-Exam    | Latest-exam-200-125-Dumps    | Exam-Description-200-125-dumps    | Latest-Updated-300-075-Exam    | hot-sale-book-210-260-book    | Dumps-200-901-exams-date    | Certs-200-901-date    | Latest-exam-1Z0-062-Dumps    | Hot-Sale-1Z0-062-Exam    | Certs-CSSLP-date    | 100%-Pass-70-383-Exams    | Latest-JN0-360-real-exam-questions    | 100%-Pass-4A0-100-Real-Exam-Questions    | Dumps-300-135-exams-date    | Passed-200-105-Tech-Exams    | Latest-Updated-200-310-Exam    | Download-300-070-Exam-PDF    | Hot-Sale-JN0-360-Exam    | 100%-Pass-JN0-360-Exams    | 100%-Pass-JN0-360-Real-Exam-Questions    | Dumps-JN0-360-exams-date    | Exam-Description-1Z0-876-dumps    | Latest-exam-1Z0-876-Dumps    | Dumps-HPE0-Y53-exams-date    | 2017-Latest-HPE0-Y53-Exam    | 100%-Pass-HPE0-Y53-Real-Exam-Questions    | Pass-4A0-100-Exam    | Latest-4A0-100-Questions    | Dumps-98-365-exams-date    | 2017-Latest-98-365-Exam    | 100%-Pass-VCS-254-Exams    | 2017-Latest-VCS-273-Exam    | Dumps-200-355-exams-date    | 2017-Latest-300-320-Exam    | Pass-300-101-Exam    | 100%-Pass-300-115-Exams    |
http://www.portvapes.co.uk/    | http://www.portvapes.co.uk/    |