loading

Security Leadership with SANS MGT514 – Part03

  • Home
  • Security Leadership with SANS MGT514 – Part03
By Cyfiz July 13, 2024 0 Comments

Policy Development and Assessment

SANS MGT 514 a leap towards cybersecurity management: Security Strategic Planning, Policy, and Leadership Program

This work is merely a reference to the original SANS MGT514 course, created only based on my understanding of the course. The primary objective of this entire series is to impart information with my own words and persuade people of the efficacy of SANS courses, which are created with numerous real-life examples and well-developed labs. Remember that certain portions were left ignored in order to avoid any copywriting concerns.

On day 3, we were all compelled to reevaluate all of our prior concepts pertaining to requirement assessment, usage of appropriate language, wiring in proper structure, minimizing ambiguity, and efficiently managing the entire policy lifecycle.

Organizations use security polices as a way to maintain the confidentiality, integrity and availability of their sensitive assets. An organization’s policy defines the expectation of its senior leadership regarding how the security program, controls and processes should be managed.

There are several categories of security policies, from documents that address particular issues like identity and access management or acceptable use policy to high-level definitions of an organizational general’s security objectives. According to NIST SP 800-12 Rev. 1 “An Introduction to Information Security”, the three most frequent types of policies are program-specific, system-specific, and issue-specific.

“Companies create polices to ultimately protect themselves”.

A security policy protects enterprises not just from security threats, but also from regulatory penalties and litigation, as well as from personnel acting inappropriately. Individual’s conduct is often governed by two factors: exception and empowerment.

An exception to the security policy is something that does not follow the security policy’s established rules. This exclusion is commonly used to circumvent the constraints of a security policy in order to meet a business requirement that arose after the policy was developed. In other words, the policy was designed to meet a specific commercial need that was not reasonable at the time.

Exception Management & Managing Risk of Exception

Employee empowerment is achieved by giving them the resources, permissions, opportunities, and desire to complete their task as well as by holding them responsible for their actions.

Empower Employees for better decisions

Policy Development

Create policies with “Compliance by design” in mind. Compliance by design refers to the logical integration of regulatory requirements into routine conventional and automated activities and processes. To achieve compliance by design, policies and procedures should be created in such a manner that the intended behavior of following security best practices is ingrained in the culture of the business.

Policy lifecycle management plan, the policy lifecycle explains the steps that a policy goes through, from conception to decommission. To reduce risk, a policy administered under an information security program should be guided by a continual assessed and enhanced lifespan.

Policy Lifecycle & Stages

Remember that a policy must be effective; the following components contribute to policy effectiveness.

  • Should lower the risk
  • Engagement and Education
  • Evaluation and Enforcement
  • Review and Update

A risk assessment is also mandated by policy.

Policy development is a tedious task, if you’re just getting started, seek for policy frameworks that you can build on over time.

SANS Policy Templates

Information Security Policies, Procedures, and Standards: A Practitioner’s Reference 1st Edition

Policies are typically classified into four types.

  • Governance
  • Operational
  • Security
  • Acceptable Use

Points to be considered while writing policy

  • Contents and words selection
  • Voicing & Typography Preference
  • Length and Format

Structure of Policy

  • Overview
  • Purpose
  • Scope
  • Policy Statement
  • Version Control  
  • Enforcement
  • Responsible Parties

Information Security Policy Example

SMART Approach

One of the most important concerns is that most policies are not defined in a way that allows them to be executed and an efficient procedure to be constructed on their foundation. Policy should be built on the SMART framework in order to be Specific, Measurable, Achievable, Realistic, and Time-Bound.

Posted in CISO Cybersecurity Architect Latest Security Operations

Resent Post

Archives

Categories

Tags

AI AI Assistants AI Governance AI Startups Artificial Artificial Intelligence Background Removal Chatbot Agency Compliance Cybersecurity Program Data Governance Data Privacy Data Protection Design Tips Developers Digital Art DIY Editing Fashion Game Global Governance Graphic Design Image Editing Incident Response Laws & Regulations MITRE ATT&CK Network Intrusion Detection Online Community OpenAI Partnerships Photo Editing Photography Startup Technology Techonology Threat Hunting Tutorials Visual Content Visual Media

Recent Post