Chapter - 5

Cybersecurity Policy

1
 Outline
• Introduction to Cybersecurity Policy
• Cybersecurity Policy definition
• Why Cybersecurity Policy?
• Methods of Improving Awareness of Security Policy
• Key elements of a policy
• Types of security policy
• Other categories of security policy

2
 Cybersecurity Policy
• Security is a multilayered process.
• After a risk assessment is completed, policies will fall quickly
in place.
• Security policy can be determined based on feedback from
risk assessment.
• The risk assessment should help drive policy creation on
items such as these:
– Passwords
– Patch management
– Employee hiring and termination practices
– Backup practices and storage requirements
– Security awareness training
– Antivirus
– System setup and configuration 3
 Cybersecurity Policy
CISSP definition
• The term cybersecurity policy has more than one meaning.
• Policy is senior management's directives to:
– create a computer security program,
– to protect the corporation’s assets,
– establish its goals, and
– assign responsibilities.
• The term policy is also used to refer to the specific security
rules for particular systems.
• Additionally, policy may refer to specific managerial
decisions:
– setting an organization's e-mail privacy policy or
– fax security policy.
4
 Cybersecurity Policy: Definition…
• The policy defines the corporation’s high-level information
security beliefs.
• In these terms, a policy can then be described as a high-level
statement of a company’s security:
– beliefs,
– goals, and
– objectives,
– as well as the general means for their realization for a specified
subject area.
• In general, policies are:
– brief,
– technical, and
– solution independent documents.
5
 Cybersecurity Policy: Definition…

• A security policy is a document that:

– defines the scope of security needed by the organization and
– discusses the assets that require protection and
– the extent to which security solutions should go to provide the
necessary protection.

• Security policy:
– defines the main security objectives and outlines
– defines security framework of an organization.
– identifies the major functional areas of data processing and
– clarifies and defines all relevant terminology.
6
 Why Cybersecurity Policy?

• To Prevent cyber attacks against the country’s

critical information infrastructures
• To Reduce national vulnerability to cyber attacks
• To Minimize damage and recovery time from cyber
attacks
• To Create cyber resilience and trusted digital
economy
• … 7
 Cybersecurity Policy…
• For security to be effective, it must start at the top of an
organization.
• Senior management must make decisions on:
– what should be protected,
– how it should be protected, and
– to what extent it should be protected.

• These findings should be crafted into written documents.

• Before these documents are locked in as policies, they must be
researched to verify that they will be compliant with all federal, state,
and local laws.
• These documents should also clearly state:
– what is expected from employees and
– what the result of noncompliance will be. 8
 Cybersecurity Policy…

• Policies are the top tier of formalized security documents.

• These high-level documents offer a general statement about:
– the organization’s assets and
– what level of protection they should have.

• Well-written policies should spell out:

– who’s responsible for security,
– what needs to be protected, and
– what is an acceptable level of risk.

9
 Cybersecurity Policy…

• The basis for an effective information security architecture is a

well written policy statement.
• This is the source from which all other directives, standards,
procedures, guidelines, and other supporting documents will
spring.

• The security policy is also used to:

– assign responsibilities,
– define roles,
– specify audit requirements,
– outline enforcement processes,
– indicate compliance requirements, and
– define acceptable risk levels
10
 Cybersecurity Policy…
• Cybersecurity Policies:
– remain relevant for a substantial amount of time and
– are usually updated or revised only when a fundamental change to
the organization’s operations take place.

• It should address:
– Prevention of misuse
– Detection (through regular checking)
– Investigation (through monitoring and audit)
– Procedures used to prevent security problems
(unauthorised access)
– Staff responsibilities (to prevent misuse)
– Disciplinary procedures (for breaches of security)
11
 Methods of Improving Awareness of Security
Policy
• Introduction of Training
• Staff Access to Guidance
– Full staff meeting
– Training
– A leaflet distributed to all staff
– Policy posted on Intranet or bulletin board
– Posters displayed throughout the building
– Emails sent to all staff
 Cybersecurity Policy
TARGET GROUPS
• Individuals that have access to systems, including end users.

• Individuals with information system, security, and/or risk

management and oversight responsibilities
– e.g., chief information officers, senior information security officers,
– information system managers, information security managers;

• Individuals with information system development

responsibilities
– e.g., program managers, system designers and developers, information
security engineers, systems integrators;

13
 Cybersecurity Policy
TARGET GROUPS…
• Individuals with information security implementation and
operational responsibilities
– e.g., mission/business owners, information system owners,
– common control providers, information owners,
– system administrators, information system security officers

• Individuals with information security assessment and

monitoring responsibilities
– e.g., auditors, system evaluators, assessors, independent
verifiers/validators, analysts, information system owners.

14
 Types of security policy
• Many organizations employ several types of security policies
to define or outline their overall security strategy.
• An organizational security policy focuses on issues relevant
to every aspect of an organization.
• An issue-specific security policy focuses on a specific
– network service,
– department,
– function, or
– other aspect that is distinct from the organization as a whole.
• A system-specific security policy focuses on:
– individual systems or types of systems and
– recommends approved hardware and software,
– outlines methods for locking down a system, and
– even mandates firewall or 15
– other specific security controls.
 Cybersecurity Policy (CISSP)
• Organizations should have the following three different
types of policy:
– Program policy,
– Issue- Specific policy, and
– System Specific policy.

• Some organizations may refer to these types with other

names such as:
– directives,
– procedures, or
– plans.

16
 Program Policy
• The program/master security policy can be thought of as a
blue print for the whole organization’s security program.
– It is the strategic plan for implementing security in the
organization.

• An organization's program policy should:

• Create and Define a Computer Security Program:
– Program policy:
• should be clear as to which resources, including facilities,
hardware, software, information, and personnel the computer
security program covers.

17
 Program Policy…
• An organization's program policy should:
• Set Organizational Strategic Directions:
– This may include defining the goals of the program.
– For instance, in an organization responsible for maintaining
large mission-critical databases:
• reduction in errors,
• data loss,
• data corruption, and
• recovery might be specifically stressed.

18
 Program Policy…
• An organization's program policy should:
• Assign Responsibilities:
– Responsibilities should be assigned to the computer security
organization/department for direct program implementation and
– other responsibilities should be assigned to related offices

• Address Compliance Issues:

– Program policy typically addresses two compliance issues:
1. meeting the requirements to establish a program and the
responsibilities assigned therein to various organizational components,
and
2. the use of specified penalties and disciplinary actions.
19
 Issue-Specific Policy
An organization's issue-specific policies should:
• Address Specific Areas:
– Topics of current relevance and concern to the organization
should be addressed.
– For example, to issue a policy on how the organization will
approach e-mail privacy or Internet connectivity.

• Be Updated Frequently:
– More frequent modification is required as changes in technology and
related factors take place.

• Contain an Issue Statement:

– The organization's issue statement, applicability, roles and responsibilities,
compliance, and point of contact should be clear.
20
 Issue-Specific Policy…
• Examples for issue-specific policy:
– Change management policy
– Physical security policy
– Email policy
– Encryption policy
– Vulnerability management policy
– Media disposal policy
– Data retention policy
– Acceptable use policy
– Access control policy

21
 System-Specific Policy
• A system-specific policy is concerned with a specific or individual
computer system.
– It is meant to present the approved software, hardware, and hardening
method for that specific system.

• An organization's system-specific policies should:

• Vary From System to System:

– Variances will occur because each system needs defined security
objectives based on:
• the system's operational requirements,
• environment, and
• the manager's acceptance of risk.

22
 System-Specific Policy…
• Example:
– Routers and switches
– Intrusion prevention and detection systems
– Firewalls, Servers
– Storage technology
– Wireless routers and access points

23
 System-Specific Policy…
• System specific policy should
address potential security issues of
the system during:
– Procurement of the system
– Installation of the system
– Configuration of the system
– Deployment of the system
– Operation of the system
– Maintenance of the systems
– Disposal or destruction of the
system
• It should also address the
following issues of the system:
– Configuration requirements of the
system
– Access control requirements of the
system
– Testing issues of the system
– System log management
– Supporting components of the
system
– System related contingency plan
– Backup and recovery issues of the
system
– Configuration requirement
– Monitoring requirement
– …
24
 All Policies
• All three types of policy should be:
• Supplemented:
– because policy may be written at a broad/high level,
– organizations also develop standards, guidelines, and procedures that offer
users, managers, and others a clear approach to implement policy and
meeting organizational goals.
• Visible:
– Visibility aids implementation of policy by helping to ensure policy is fully
communicated throughout the organization.
• Supported by Management:
– Without management support, the policy will become an empty token of
management's "commitment" to security.
• Consistent:
– Other directives, laws, organizational culture, guidelines, procedures, and
organizational mission should be considered.
25
 Cybersecurity Policy…
• In general, cybersecurity policy is much like a strategic plan:
– because they outline what should be done
– but don’t specifically dictate how to accomplish the stated goals.

• Those decisions are left for standards, baselines, and

procedures.

• Security policies can be written to meet:

– advisory,
– informative, and
– regulatory needs.
• Each has a unique role or function.
26
 Other categories of security policy
• There are also three overall categories of security
policies:

– regulatory,
– advisory, and
– informative.

27
 Regulatory Policy
• A regulatory policy is required whenever industry or legal
standards are applicable to your organization.
• This policy is security policies that an organization must
implement due to compliance, regulation, or other legal
requirements.
• These policies are used to make sure that the organization
complies with local, state, and federal laws.
• An example regulatory policy might state:
– Because of recent changes to Federal Gov’t law, The Company will now
keep records of employee inventions and patents for 10 years;
– all email messages and any backup of such email associated with patents
and inventions will be stored for one year.
28
 Advisory Policy
• Advisory policies are those policies that define a required
behavior with authorizations.

29
 Advisory Policy…

• Here’s an example advisory policy:

– Illegal copying: Employees should never download or install
any commercial software, shareware, or freeware onto any
network drives or disks unless they have written permission
from the network administrator.

– Be prepared to be held accountable for your actions, including

the loss of network privileges or employment termination if
the Rules of Appropriate Use are violated.

30
 Informative
• Informative policies are those which are not enforceable,
but can be regulated.

31
 Informative policy...
• An informative policy is designed to provide information or
knowledge about a specific subject, such as:
– company goals,
– mission statements, or
– how the organization interacts with partners and customers.
• An informative policy provides:
– support,
– research, or
– background information relevant to the specific elements of the
overall policy.
• It is developed for education.
• Its goal is to inform and educate employees.

32
 Security Standards, Baselines, and Guidelines

• Once the main security policies are

set, then the remaining security
documentation can be crafted under
the guidance of those policies.
• Standards define compulsory
requirements for the homogenous use
of:
– hardware,
– software,
– technology, and
– security controls.

• They provide a course of action by

which technology and procedures are
uniformly implemented throughout an
organization. 33
 Cybersecurity Standards…
• Standards are much more specific than
policies.
• Standards are tactical documents:
– because they lay out specific steps or
processes required to meet a certain
requirement.
• As an example:
– a standard might set a mandatory requirement
that all email communication be encrypted.
• So although it does specify a certain
standard, it doesn’t spell out how it is to be
done.
• That is left for the procedure. 34
 Cybersecurity Procedure

• Are the lowest level in the organization’s security

documentation structure.
• While security policy is a high-level document
containing general directives,
• a procedure is a very detailed document that
illustrates in a step-by-step instructions on how a
specific task is done.

35
 Cybersecurity Procedure…
• A procedure is the most specific of security documents.
• A procedure is a detailed, in-depth, step-by-step document
that details exactly what is to be done.
• Procedures are tied to specific technologies and devices.

• As an example:
– your company has replaced its Checkpoint firewall with a Cisco PIX.
– Although the policies and standards dictating the firewalls role in your
organization probably will not change,
– the procedure for configuration of the firewall will.

36
 Cybersecurity Baseline
• A baseline specifies the minimum level of security required.
• All systems in the organization must comply with that
minimum.
• To determine:
– which systems meet the baseline and which don’t,
– an evaluation must be done,
• in a regular basis, and
• when major changes are done.

• Such evaluation could be done either:

– by the organization’s security team or
– out-sourced to a third party consultant

37
 Cybersecurity Baseline…

• A baseline is a minimum level of security that a system,

network, or device must adhere to.
• Baselines are usually mapped to industry or governament
standards.
• As an example an organization might specify that:
– all IT systems comply with a minimum Trusted Computer System
Evaluation Criteria (TCSEC) or Common criteria or NIST standards.

38
 Cybersecurity Guidelines
• A guideline points to a statement in a policy or procedure by
which to determine a course of action.

• Are practical instructions and recommendations targeting all

levels of staff in the organization.
• These instructions are considered as operational guides on
how to apply and enforce the standards and baselines.
• Guidelines are flexible and not obligatory.
• It’s a recommendation or suggestion of how things should
be done.
• It is meant to be flexible so it can be customized for
individual situations.
39
 Cybersecurity Guidelines…
• Guidelines are used to determine a recommended course
of action.
• Guidelines could be instructions like this:
– When you receive an email from untrusted or unknown sender, don’t
open any attachments in the mail.
– Use of USB flush memories, hard disks, CD-ROM is prohibited in the
organization’s computers.
– Don’t attempt to disable or hinder the antivirus operation.

• Best practices state what other competent security

professionals would have done in the same or similar
situation.
40
 Assembling all the pieces together
• The security policy dictates in general words that the organization must
maintain a malware-free computer system environment.
• A standard states in a strict words that every computer in the
organization’s network must have an antivirus installed and updated
with the latest virus definitions.
• A baseline sets the threshold below which a computer will be
considered insecure, and above which it will be considered as
secure.
• The baseline could be for example:
– a computer fully-patched,
– with antivirus installed,
– having virus definition not older than 7 days from the latest published
definitions from the vendors.
41
Cybersecurity Policy Structure

Policy

Standard

Baseline

Guideline

Procedure

42
Relationship among policies, standards, procedures, baselines,
and guidelines

43
 Summary
• A security policy is a high-level document that dictates the top
managements security vision, objectives, scopes, and
responsibilities.
• A standard is a set of obligatory rules that support the security
policy.
• A security baseline is the threshold that all the systems in the
organization must comply with.
• A guideline is a set of flexible recommendations and best
practices.
• A procedure is a detailed, step-by-step documents that illustrates
how to make a specific task.
44
Additional resource on
Security Policy CISM

45
Establish and Maintain Information Security Policies
(CISM)
• The cornerstone of an effective information security
architecture is a well written policy statement.
• This is the source from which all other directives, standards,
procedures, guidelines, and other supporting documents will
spring.
• A policy performs two roles,
– Internal
– External.
• The internal portion tells employees what is expected of them and
how their actions will be judged.
• The external portion tells the world how the enterprise is run.
46
 Cybersecurity Policy (CISM)
• Security and privacy policies and procedures must have
three elements to be effective.
• They must be documented, communicated, and current.
• There are three types of policies, and you will use each type at
different times in your information security program and
throughout the organization to support the business process or
mission.
• The three types of policies are:
– Global (Tier 1):
– Topic-specific (Tier 2):
– Application-specific policies (Tier 3):

47
 Cybersecurity Policy…

• Global (Tier 1): These are used to create the organization’s

overall vision and direction.

• Topic-specific (Tier 2): These address particular subjects of

concern.

• Application-specific policies (Tier 3): These focus on

decisions taken by management to control particular
applications
• financial reporting, payroll, etc. or
• systems (budgeting system).
48
 Global (Tier 1) Policy
• An information security policy will define the intent of management
and its sponsoring body with regard to protecting the
information assets of the organization.

• Senior Management is responsible for:

– meeting business objectives or mission requirements
– issuing global policies to establish the organization’s direction in
protecting information assets.

• Senior management must:

– ensure that necessary resources are effectively applied
– must incorporate the results of the risk analysis process into the
decision-making process.
49
 Global (Tier 1) Policy …

• The components of a global (Tier 1) policy typically include

the following four characteristics:
– Topic
– Scope
– Responsibilities
– Compliance or Consequences

50
 Global (Tier 1) Policy …
• Topic
– The topic portion of the policy defines what specifically the policy
is going to address
• Convey two important elements
– the topic (it should have something to do with the title of the
policy) and
– the hook, why the reader should continue to read the policy.

• An opening topic sentence might read as follows,

“Information created while employed by the company is the property of the
company and must be properly protected.”

51
 Global (Tier 1) Policy …
• Scope
– The scope can be used to broaden or narrow either the topic or the
audience.
• In an information security policy statement we could say,
“Information is an asset and the property of the company and all employees
are responsible for protecting that asset.”
• In this sentence we have broadened the audience to include all
employees.
• We can also say something like,
“Business information is an essential asset of the company.
– This is true of all business information within the company regardless of how it
is created, distributed, or stored and whether it is typed, handwritten, printed,
filmed, computer-generated, or spoken.
– Here the writer broadened the topic to include all types of information assets.
52
 Global (Tier 1) Policy …
• Responsibilities
• Typically, this section of the policy will identify who is responsible for
what.
• When writing, it is better to identify the “who” by job title and not by
name.
• Here again the Office Administrator’s Reference Guide can be of
great assistance.
• The policy will want to identify what is expected from each of the
stakeholders.

53
 Global (Tier 1) Policy …
• Compliance or Consequences
• When business units or employees are found to be in a noncompliant
situation, the policy must spell out the consequences of these actions.
• For business units or departments, if they are found in noncompliance,
they are generally subject to an audit item and will have to prepare a
formal compliance response.
• For an employee, being found in noncompliance with a company
policy will mean they are in violation of the organization’s employee
standards of conduct and will be subject to consequences described in
the employee discipline policy.

54
 Topic-Specific Policy (Tier 2)
• Whereas the global policy (Tier 1) is intended to address the broad
organization wide issues, the topic-specific policy is developed to
focus on areas of current relevance and concern to the organization.
• Management may find it appropriate to issue a policy on:
– how an organization will approach Internet usage or
– the use of the company-provided e-mail system.

• The global policy (Tier 1) is usually broad enough that it does not
require modification over time, whereas the topic-specific (Tier 2)
policies are likely to require more frequent revisions as changes in
technology and other factors dictate.

55
 Topic-Specific Policy (Tier 2)…
• Topic-specific policies will be created most often by an organization.
• Whereas the Tier 1 policies are approved by the Information Security
Steering Committee, the topic-specific (Tier 2) may be issued by a
single senior manager or director.
• It includes:
• Thesis statement:
– This is similar to the topic section discussed in the Tier 1 policies, but it also
adds more information to support the goals and objectives of the policy and
management’s directives.
– “company-approved” software, which might be “any software not approved,
purchased, screened, managed, and owned by the organization.”

56
 Topic-Specific Policy (Tier 2)…
• Relevance
– The Tier 2 policy also needs to establish to whom the policy
applies.
– the policy will want to clarify where, how, and when the policy is
applicable.
– Example
• Is the policy only enforced when employees are in the work-site
campus or will it extend to off-site activities?
• Responsibilities
• The assignment of roles and responsibilities is also included in Tier 2
policies.
• For example, the policy on company-approved software will have to identify
the process to get software approved. This would include the authority (by
job title) authorized to grant approval and a reference to where this process
57
is documented.
 Topic-Specific Policy (Tier 2)…

• Compliance
– For a Tier 2 policy, it may be appropriate to describe, in some
detail, the infractions that are unacceptable, and the consequences
of such behavior.
• Supplementary Information
– For any Tier 2 policy, the appropriate individuals in the
organization to contact for additional information, guidance, and
compliance should be indicated.

58
CISM

59
 Application-Specific Policy (Tier 3)…
• Global-level (Tier 1) and topic-specific (Tier 2) policies address
policy on a broad level.
• They usually encompass the entire enterprise.
• The application-specific (Tier 3) policy focuses on one specific
system or application.
• The final element will be the translation of Tier 1 and Tier 2
policies down to the application and system level.
• Many security issue decisions apply only at the application or
system level.
• Some examples of these issues include:
– Who has the authority to read or modify data?
– Under what circumstances can data be read or modified?
60
– How is remote access to be controlled?
 Application-Specific Policy (Tier 3)…
• As you prepare to create Tier 3 policies, keep in mind the
following concepts:
– Understand the overall business objectives or mission of the
enterprise.
– Understand the mission of the application or system.
– Establish requirements that support both sets of objectives.

61
Policy Components (CISM)

62
 Development of Procedures and Guidelines
That Support the Information Security Policy

• Procedure writing is different from policy writing in that it is not

useful to have teams develop the procedures.
– Procedures will not have to be approved by a management team.
– So the process is quicker, but will require some work.

63
Procedure writing process

64
65
66