Operational Policy
| #CSOL
Security policies are a collection of documents that starts with a set of principles that communicate standard rules across the organization. The implementation of the principles is detailed in the policy documents. These policy documents also outline the controls, actions, and processes to be performed by an organization. The security policy will discuss the type of controls that need to be in place in methods specific to the information system but does not specify how to build the controls. For example, a security policy may state that all computers connecting to the organization’s network require anti-virus and anti-malware detection software to be installed. However, it does not define which software and how to implement it. Six di!erent documents support security policy framework:
- Principles: Establish the tone at the top and communicate rules that cut across the entire organization. Its primary focus is on critical risks and behaviors.
- Policy: States how the organization is to perform. It sets the stage for secure control of information and is approved by most senior-level executives.
- Standard: This can be a procedural or technical standard adopted throughout the organization. It includes technology, hardware, or software which has a proven record of performance.
- Procedure: Which contains the steps required to implement a process. It supports policies and standards.
- Guideline: Contains suggestions within the policy, standard, or procedure to help the business operate more efficiently. The guideline can transition into a policy if they are widely adopted.
- Definitions: Statements that define the terms used in the policy documents and set the context in which the policy documents are interpreted (Johnson, 2014).
Security policies are essential to an organization because they ensure the consistent protection of information that flows through the organization. Physical and logical access controls need to work at all times to protect the data. There are several reasons why security policies are enforced:
- Protecting systems from the insider threat
- Safeguard information at rest and in transit
- Controlling change to IT infrastructure
- Defending the business
Security policies help protect an organization’s information resources at all times while ensuring secure access to the employees when they need it (Johnson, 2014). Additionally, Policies help define clear expectations of employee behavior in terms of the organization’s core values and enable employees to know how they need to act if it requires an ethical decision.
In the cyber security operational policy course we learned how to create security policies for an fictitious company called HIC, Inc. Below are the some of the sub- sections I choose to discuss which are relevant to my job.
| Project PDF place-holder for Corporate Mobility Policy | Project PDF place-holder for Policy Implementation, Enforncement, and Compliance | Project PDF place-holder for Privacy Policies |
|---|
Reflection
In this course, I learned to create security policies to protect the confidentiality, integrity, and availability of protected health information (PHI) and information assets of a fictitious organization call HIC, Inc. I choose corporate mobility policy, policy implementation, enforcement, and compliance and privacy policy artifacts to include in this section because these artifacts relate to my job. For example, we have a corporate mobility policy in which we have a choice of using our device or company provided mobile device. In either case, our company has a clear definition on what is the acceptable use of mobile devices along with who is responsible for the support and what type of security measures are required to access the company information.
As a security professional, my ethical duty is to ensure that information security practices are not violating any laws, regulations, and privacy of individuals and organizations.
References
- Johnson, R. (2014). Security Policies and Implementation Issues (2nd Edition). Burlington, MA: Jones & Bartlett Learning.