Cybersecurity – So Complicated – Part 1
Understanding the differences between a policy and a standard.
In any organization, policy is one of the key tenets to be followed because of its uses and its flexibility and function. Seen as the first line of defense, it is the most cost effective but it is also the most difficult to implement and follow through with effectively as well. Most failures in an organization come from poor management and lack of policy. As written instructions, they can inform and educate employees about proper behavior regarding information and assets. Having a proper structure of policy creates productive and effective environments and directs how issues should be addressed and technologies used. Well implemented policy leads to reduced risk, compliance with laws and regulation, strong governance and assurance of operational continuity through information confidentiality, integrity and availability. In this series, I’ll be picking out a cybersecurity topic to discuss every once in a while. Starting here, I want to start with a more “managerial” topic on understanding the differences between a policy and standard, since they’re relatively interchangeable in everyday talk.
While policy is the written instruction that help shape and guide the organization on how issues are addressed and technologies used, standards are detailed statements on the actions to be taken in order to comply with them and that are built on a strong foundation of policy. Standards are the written instruction to specify proper operation of the issues and technologies mentioned in the policy. Just as policies drive the development of standards, standards can then help drive the development of business practices, procedures and guidelines in organizations. An example would be a policy that all users must have unique passwords for system accounts, but standards would indicate that password may have a certain length and contain certain characters and combination of the two.
Though policies have such great importance, it is useless if the organization doesn’t have a firm grasp on them, and the best way for policies to be effective is to be properly disseminated and to ensure that all of the employees not only receive a copy, but have read it and have affirmed that they understand and agree to the policy. Although some may disagree, I believe that policy should remain as neutral as possible whereas the standards and procedures can become more specific. In order to disseminate the information security policy, it is important to define what kind of security policy that the organization will adhere by from one of the following: Enterprise Security Program Policy (EISP), Issue-Specific Security Policy (ISSP), Systems-Specific Security Policies (SysSP,) which are based off of the NIST Special Publication 800-14 and 800-18.
Enterprise Security Program Policy (EISP), Issue-Specific Security Policy (ISSP), Systems-Specific Security Policies (SysSP,)
The common policy is EISP, which helps to essentially explain the steps and standards to comply with the policy by guiding the development, implementation and management aspects of the policy program. Typically the staple document in explaining policy compliance, it defines the enterprise/organizational structure and the information security that is designed to support from within. Because it is the policy document for all security controls and protocols within the organization it is more commonly known as a general security policy. It deals with the overall development, planning, and implementation of organizational policy. Typically it describes the responsibilities for security between the members and those for each of the roles. Some examples of components within an EISP document would be regarding use of information, legal conflicts, exceptions, violation and penalties.
ISSP deals with the balance between issue and policy management as well as instructs the organization on how to deal with personal responsibility and accountability regarding technology based systems. Whereas the EISP discusses more about the general structure of information security policy within the organization, ISSP has honed in on more specific areas such as prohibited usage, penalties and the standards of acceptable use of technological assets. It serves as a guideline to everybody concerning the use of technology and articulates the standards of conduct relating to use of technological assets. Some examples of components within an ISSP document would be regarding the use of e-mail, internet, malware/anti-virus software and use, BYOD policies and more specific policies regarding technological use.
With SysSP, it guides management on technical specifications as well as management guidance to achieve security objectives. Typically it is implemented with standards and procedures that are used when configuring or maintaining the system itself and not the technological aspect itself. They typically fall into two groups of management guidance and technical specifications. Management guidance regards the implementation and configuration of the technology itself, and not necessarily how it is used. Technical specifications are similar but separate in that it takes the management intent of a technological asset and further breaks it down into technical standards, such as access control lists and configuration rules. Access control lists, which govern the rights and privileges of the users can have differ configurations to give users different privileges based on either their role or specifically who they are. They can regulate who use the system, what, when, where and how users can access the system as well. Configuration rules have to deal with the standards of how information is shared and travels through the organizations.
Compliance regarding effective policy is often broken up into two steps, the design and development and establishing the process to spread and maintain policy.
Policy is based off of the organization values, mission and scope but writing is only one part of the process for compliance and the other step deals with how to ensure that members not only have received the policy, but to ensure that they have read and understood the policy.
Some methods are having read-receipts, banners and pop-ups, physical copies that must be signed etc whoever distribution itself is a very difficult process because it can often contain classified policies and internal information. Once it has been spread and disseminated, it is important to manage and maintain policies as well, leading to committees that analyze and update them as time passes to ensure that they remain relevant and effective.