Operational Policy
A security policy is a document that organizations develop to specify the rules, expectations, and overall approach they utilize to preserve the confidentiality, integrity, and availability of their data. Sometimes, a policy is used in conjunction with other documents such procedures, standards, and guidelines, to assist in achieving its security goals. A security policy answers the questions “what” and “why,” while procedures, standards, and guidelines answer the “how.” The policy outlines the overall strategy and cyber posture, while the other documents assist in building structure around that practice (Grimmick, 2023). According to the National Institute of Standards and Technology (NIST) Special Publication 800-12 Revision 1, there are three diverse types of security policies. They are program policy, issue-specific policy, and system-specific policy.
A program policy, also known as an organizational policy, is a high-level blueprint which is used in steering the organization’s security program. With inputs from senior management, it is crafted at a high-level, and clarifies the security program’s scope and purpose, in addition to identifying roles and responsibilities, and compliance mechanisms. A program policy is technology agnostic. Because it is written at a high-level, even if there are organizational or technical changes, it remains relevant.
An issue-specific policy provides concrete guidance on issues such as network security, internet access, email privacy, and remote access. It focuses on areas of concern and current relevance to an organization and presents distinct guidance on proper usage. Due to frequent technological changes, an issue-specific policy must be reviewed on a regular basis.
The most granular type of security policy is a system-specific policy which focuses on a particular type of system such as a webserver or firewall. It relates to a specific technology and dictates the applicable security configurations that align with the required security control. According to NIST, a security objective and operational rules should be included in a system-specific policy. For the creation, implementation, and enforcement of such a policy, IT and security teams play a significant role. However, it is senior management that ultimately make the key decisions and rules ((NIST), 2017).
A security policy addresses a wide audience including the non-technical, and should be written in language that is concise, comprehensive, include clear definitions of technical terms, and must be enforceable (Grimmick, 2023). It communicates intent from senior management, hence for any security program to succeed, senior management must be committed to the program, else it is likely to fail
An effective security policy intermixes professional expertise with ethical considerations, protecting both individuals and organization while preserving legal requirements and privacy rights (ieee.org, 2024). In its implementation, both ethical and professional considerations undertake a pivotal role. Organizations must respect the privacy rights of individuals and, before collecting or processing any personal information, they should receive informed consent. The security measures in a policy should exemplify equity and fairness, should not impact specific individuals or groups in a disparate, and must align with regulatory and legal requirements.
For security professionals, their actions and decisions must be guided by the ethical principles that are outlined in the organization’s code of conduct. They must perpetuate high standards of competence and be accountable for their security decisions and actions.
Overall, security policies are essential for preserving a secure environment and protecting an organization’s critical assets.
Policy Development, Implementation and Execution are critical to the Cybersecurity Strategy
A security policy plays a critical role in any cybersecurity strategy. It lays out rules and instructions and sets clear expectations that organizations employ to maintain the confidentiality, integrity, and availability of their sensitive information. In most organizations, the initial step in their cybersecurity strategy is conducting a risk assessment to understand the potential threats and vulnerabilities associated with their assets. A well-defined policy has clear procedures to identify and mitigate vulnerabilities and risks, provides guidance on data protection, and helps organizations effectively allocate security resources (Brecht, 2017).
For a robust cybersecurity strategy, compliance and consistency are critical. A well-planned security policy supports this strategy by ensuring that it sets clear expectations and provides a consistent framework for employees to follow the same practices. Having documentation supporting industry and legal standards such as PCI-DSS, GDPR, etc., ensures that there is compliance with these legal obligations. With consistency, efficiency is increased, and a uniform security posture is maintained across the organization.
Adaptability and scalability should be fundamental in a well-written security policy. A policy should be adaptable to new technologies and risks and be accommodating to changes as the organization grows.
The main goal of a cybersecurity strategy is the organization’s security. It is in place to protect against incidents such as data breaches and ransomware attacks. A security policy sets procedures and guidelines in place to protect against such breaches and unauthorized access. It aids in safeguarding the organization’s critical assets. For incident response, a well-defined policy not only provide guidance to security professionals, but also ensures that responses are structured and efficient. Overall, a well-constructed security policy functions as the cornerstone of a successful cybersecurity strategy.
References:
(NIST), N. I. (2017, June 23). NIST Special Publication 800-12 Revision 1 An Introduction to Information Security. Retrieved from https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-12r1.pdf
Brecht, D. (2017, October 31). Best practices for implementing an IT/cybersecurity policy. Retrieved from Infosec: https://www.infosecinstitute.com/resources/management-compliance-auditing/best-practices-implementing-itcybersecurity-policy/
Grimmick, R. (2023, April 6). What is a Security Policy? Definition, Elements, and Examples. Retrieved from Varonis: https://www.varonis.com/blog/what-is-a-security-policy
ieee.org. (2024). Ethical Issues Related to Data Privacy and Security: Why We Must Balance Ethical and Legal Requirements in the Connected World. Retrieved from https://digitalprivacy.ieee.org/publications/topics/ethical-issues-related-to-data-privacy-and-security-why-we-must-balance-ethical-and-legal-requirements-in-the-connected-world
Laws, Regulations and Standards
Laws, regulations, and standards are interrelated elements that ensure quality, safety, and ethical practices. Together they creäte a framework that presides over the conduct of organizations, businesses, and individuals (Mosse Cybersecurity Institute, 2022) .
(Public Health Emergency, 2018)
Laws are a system of codes or rules which are written by governments of countries, states, or cities. Under the US Constitution, the government comprises of three branches. The Legislative Branch writes and passes laws, the Executive Branch signs and implements them, and challenges to these laws could be made via the Judicial Branch. Generally, laws dictate what they want to achieve, when they will go into effect and overall, lay out the fundamental framework for governance.
Regulations
To interpret and implement laws which Congress passed, US government agencies and departments would issue regulations to further interpret the law. Regulations are legally binding and violating them can result in fines, penalties, or legal action. They can be amended or modified by the issuing agencies without further action from Congress. While all laws do not require regulations, regulatory agencies are empowered to enforce compliance with the rules (Public Health Emergency, 2018).
Standards
Standards are guidelines for processes, services, or practices. They are usually developed by either industry associations, standardization organizations such as ISO (The International Organization for Standardization), or Government agencies. While they are not legally binding, Standards ensure uniformity and consistency across industries, and are widely adopted.
Overall, laws institute the legal framework, Regulations detail the enforcement instructions, and Standards guarantee safety and quality.
The artifact that I chose for this topic is a presentation which explains how a fictitious company named TopNochSwitch.Inc. will utilize Laws, Regulations, and Standards in their business. These Laws, Regulations, and Standards are usually included in our security policies. Security professionals are tasked with ensuring that policies are being followed and enforcing compliance. In the selected artifact, it should be noted that the presenter asked for buy-in from senior management. For our security goals to be successful, senior management needs to set the example. Not only should they give their full support, but also demonstrate their adherence to the security policies in place.
References:
Mosse Cybersecurity Institute. (2022). Regulations, Standards and Legislation. Retrieved from https://library.mosse-institute.com/articles/2023/08/regulations-standards-legislation.html
Public Health Emergency. (2018, February 15). Introduction to U.S. Law & Policy . Retrieved from https://www.phe.gov/s3/law/Pages/default.aspx
Privacy Policies
Privacy policies are mandatory for several data privacy laws. They are legal documents that detail how an organization collects, protects, uses, and discloses individuals’ personal information. To protect the organization, privacy policies set clear expectations detailing the types of information that would be collected, outline the organization’s data sharing and security measures, and inform users of their privacy controls, including how to export and delete their collected data. Additionally, privacy policies stipulate how an organization would comply with regulations.
While privacy policies adhere to Data Privacy Laws worldwide, they also build trust by demonstrating an organization’s care for customer privacy, assist users in understanding how their data is used and contribute to SEO (Search Engine Optimization) and marketing, where websites with privacy laws are prioritized by search engines (Ironclad Journal, 2024).
Although the threat of legal action is inevitable, privacy policies help organizations avoid legal battles and fines. Some of the largest GDPR (General Data Protection Regulation) fines for violating privacy policies were: (Komnenic, 2023)
Meta was fined $1.3 Billion for violating international data transfer guidelines
Amazon was fined $780.9 Million for collecting information without adequate users’ consent.
WhatsApp was fines $247 Million for unclear privacy policies and lack of transparency.
Privacy policies are meant to notify the world about what businesses do. They are a strong reflection of an organization’s values.
The chosen artifact discusses why Hyperbeard Inc was fine by the FTC (Federal Trade Commission) for violating COPPA (Children’s Online Privacy Protection Act). While Hyperbeard Inc. complied with COPPA, it did not ensure that the third-party companies it interacted with, also complied with the COPPA Rule.
References:
Ironclad Journal. (2024). What Is a Privacy Policy? Everything You Need to Know. Retrieved from https://ironcladapp.com/journal/contracts/how-to-create-the-best-privacy-policy-for-your-business/
Komnenic, M. (2023, November 20). 9 Key Reasons Why You Need a Privacy Policy. Retrieved from Termly: https://termly.io/resources/articles/why-you-need-a-privacy-policy/
Policy Implementation, Enforcement and Compliance
Security Policies play a pivotal role in protecting an organization’s digital assets. Thus, it is important to get buy-in from top-management, Department heads and all relevant stakeholders when implementing and enforcing security policies. While policy implementation sets forth the rules on how organizations manage privacy, security, and risk management, security professionals should share training materials and conduct security awareness training to ensure that employees understand and follow the rules set forth. Security training assists employees in understanding and complying with security policies, fosters a security-conscious culture, educates and empowers employees to identify security risks, allowing them to make informed decisions. Training also facilitates feedback from employees which security professionals could utilize to refine and improve the security policies (Fortinet, 2021).
Apart from specifying the purpose, goals, scope, and roles and responsibilities, security policies should specify enforcement methods and penalties for non-compliance. Policy enforcement should be directly connected to the penalties for inaction. Security professionals could ensure compliance by leveraging enforcement mechanisms such as separation of duties, and the principle of least privilege (Mariano, 2023). They could leverage separation of duties by identifying conflicting roles that must be executed by more than one user or implement role-based access control at access time. Periodically, security professionals could evaluate how much employees understand the implemented policies and follow up with updated training material.
Security policies are living documents that are always being updated. Organizations should have a risk management program in place whereby security professionals would conduct risk assessments to ensure that the security controls in place are still effective. Risk assessments assist in quantifying, qualifying, and mitigating risks. Before organizations engage with third-party vendors, security professionals should evaluate the vendors’ security practices and, on a regular basis, ensure their continued compliance with security policies and best practices.
The artifact that I chose, illustrates how a fictitious company does business internationally. It details the laws it must follow, how it complies with those laws and the penalties for non-compliance.
References:
Fortinet. (2021, December 16). Setting Goals and Planning . Retrieved from https://www.fortinet.com/content/dam/fortinet/assets/white-papers/wp-setting-goals-planning-security-awareness-training-program.pdf
Mariano, M. (2023, May 2). Ultimate Guide to Developing Security Policies & Procedures . Retrieved from AWA International: https://awainfosec.com/blog/guide-developing-security-policies-procedures/
Reflection
I started my CSOL 540 class just after I moved over to the ISO 27001 project at work and found that this new knowledge closely aligned with what I was doing. It was fascinating to be gaining this additional knowledge and simultaneously validating it in my work environment. As we delved into laws such as CCPA (California Consumer Privacy Act) and GDPR (General Protection Data Protection), I fully understood why it was necessary for our organization to mention those laws as applicable legal requirements on our ISO certification application.
The ISO 27001 certification process requires security policy review meetings to ensure that policies provide maximum security supporting business requirements, and if needed, modifications to policies to reflect the requirements. Throughout the entire ISO process, it became more evident, how important senior management’s buy-in was, to the success of the project.
During the CSOL 540 course, I was curious about how my organization conducted business internationally, how they kept abreast with changing laws, and how they continued to maintain compliance. This information is reflected in the chosen artifacts.
In conducting my duties as a security professional, I am duty bound to ensuring that there are no violations of laws or regulations, and that the present security controls still align with the business requirements.