Policies and Standards

Policies and standards: http://www.sans.org/security-resources/policies/


A policy is typically a document that outlines specific requirements or rules that must be met. In the information/network security realm, policies are usually point-specific, covering a single area. For example, an "Acceptable Use" policy would cover the rules and regulations for appropriate use of the computing facilities.

A standard is typically a collection of system-specific or procedural-specific requirements that must be met by everyone. For example, you might have a standard that describes how to harden a Windows 8.1 workstation for placement on an external (DMZ) network. People must follow this standard exactly if they wish to install a Windows 8.1 workstation on an external network segment. In addition, a standard can be a technology selection, e.g. Company Name uses Tenable SecurityCenter for continuous monitoring, and supporting policies and procedures define how it is used.

A guideline is typically a collection of system specific or procedural specific "suggestions" for best practice. They are not requirements to be met, but are strongly recommended. Effective security policies make frequent references to standards and guidelines that exist within an organization.

List of basic policies required:

1. InfoSec Policy (main points for staff and also as required by regulators, clients etc.)

2. Asset management (inventories and risk classifications for all assets, including people)

3. Privilege management (approvals of access, AMP-like functionality, leavers/transfers) - all asset types (apps, infra, data repositories such as SharePoint sites etc.)

4. Authentication (all use cases, including remote access), password complexity requirements etc.

4. Vulnerability management (apps and infra, including patching SLAs)

5. Resiliency (failover tests, recovery time objectives by risk classification etc.)

6. Network segmentation (DMZ, allowed flows)

7. Cryptography (allowed ciphers, mandatory use cases, crypto key management)

8. Web access (blocking)

9. Privacy (if it is in scope): masking, encrypting etc.

10. BCP

11. Physical security (data center and office access, environmental controls etc.)

12. Media erasure and disposal

13. Duty separation (no developer access to production, no business user access to code etc.)

14. Application security (if in scope): input validation, output sanitizer ion, special controls for mobile apps.

15. Backup/retention

16. Basic infra security: hardened builds for operating systems, no access to removable media, control of elevated access (such as local admin), wireless controls.

17. Forensics support (minimum logging, centralized log storage)

18. Policy exception management.

19. Incident management

20. Adoption of third party product-specific security standards (e.g., Microsoft standard for MS Office - if such exists, BlackBerry etc.)

21. Vendor management

22. Training and awareness

Last updated