2.1 Key Terms
Qualitative
= A method of risk assessment that uses a scenario model, including expert
opinion.
Quantitative
= A method of risk assessment that uses a mathematical model based on data.
Regulatory
compliance = Security policy created because of local/national laws or
regulations (SOX, HIPAA, and so on).
2.2 Things to
Remember
2.2.1 The Who, What, and Why of Security Policies
Security Policies
> Explanation
Who
creates security policies? > The executive senior management team is
ultimately responsible for the data and the networks that carry the data for
their company. From a technician’s perspective, this might seem a bit odd that
the senior management team is creating a security policy, but that is who
specifies the overall goals of the policy. The high-level security policy is
often referred to as a governing policy. It is up to the management teams and
staff who have the skills to implement the appropriate controls (which include
physical, logical, and administrative controls). At this level, we often use
technical policies to implement the security responsibilities based on the
roles the staff are filling. It is up to the end users to agree to and abide by
the policies set forth by the company. This is referred to as an end-user
policy, which is sometimes called acceptable use policy (AUP). Policies may
also apply to individuals outside of the company, including customers,
suppliers, contractors, and so on.
What
is in a security policy? > In a security policy, a primary aspect is
risk management. In that light, it could include items such as access controls,
backups, virus protection, incident handling, encryption, monitoring, password requirements,
disposing of resources, inspections and reviews, personal/physical security,
system-configured change process, auditing, security awareness and training,
documentation, AUP (and the list goes on). A security policy should begin with
a general overview about why the policy was written and what it covers and what
it does not cover. This is often referred to as the scope of the policy.
Why
do we have security policies? > Besides risk management, security
policies are also used to educate users, staff, and other workers about what
the policy of the company is. It can also be used to establish a baseline for
which security measures must be implemented to protect assets. Without a
security policy in place, the risk (which is a factor of assets that are
vulnerable being attacked and resulting in a loss) is too great.
Comments
Post a Comment