5.3 Policies

What are the rules?

Policy define acceptable behavior for an organization. It's just like the rules of a game or the rules of a household. It defines what types of remote access solutions are approved or what employees can use work computers for (when it comes to personal use, come on we all check our personal email on work computers).

Policy is important because with out it users are left to assume what the rules are.

Video Transcription

So we're going to get into the policy section. And you notice in the graphic, the policy is the base of the foundation. And this is true, because the policy is going to kind of dictate what the expected behavior is, and then standards and procedures help illustrate how that policy is actually implemented and realized at the organization. So I always find that policy is easier to understand with some examples.

So when we talk about policy within the information security space, we're thinking of things like acceptable use policy and what is okay for staff to do with technology? Also things like password policy, right? Like, what is where passwords are needed? How often do they need to be changed? Which would be a standard remote access policy or access policy? Right? Are you allowed to take data home? Can you put data on thumb drives? Are you allowed to remote in from a hotel? Right? All of these questions are answered by policy and policy is the will of the organization. 

Now, if you're trying to figure out okay, how, how, what, what policies, what policies, would an information security practitioner do what a GRC analyst wants to consider? This is NIST 800-53, which is basically a collection of information security controls, and each control aligns with a family, right, and these families are access control, awareness, training, audit, accountability, etc. 

You could technically have a policy for each one of these, if you're a rather large organization, you might actually have an access control policy and awareness and training policy, etc. If you're a midsize organization, or you're just starting out, one of the things that is strongly encouraged would be just having an information security policy, right? How is information security done at that business? And within that information security policy, you can build out these access control elements, policies, configuration management policies, right. So it allows you to have like one single document, one source of truth that has all the policies at an organization. 

Let's actually take a minute and look at some examples. So if you Google information security policy, and then I did cite gov, so I'm only getting government websites, you can see a couple come up here, right? And I'll just choose one really quickly. So we can understand. So here's a fun one. chicago.gov. 

The city of Chicago, Illinois, right. And you can see, this is their website, I just had pulled it up randomly right before I hit record, and they have an information security policy. So what is included in an information security policy? Well, you always want to have the following things, right? And I'll have a template that we can look at when we do the practical lab. But you want to have what's the purpose of a policy? Right? What's the intent of it? What is the scope of it? Right? If it's an access control policy? Is it just for, a single department like how they access stuff like HR or legal? Or is it the entire department? Is that the entire enterprise? Does it include vendors, contractors, third parties that you work with? What is the scope of the policy? Then? What is the actual policy itself? Of course, right, that's got to be in there. And then you'll want to know what happens if you don't comply with the policy, right sanctions or, what's the penalty, and how does that work. And then finally, what is really important is management support, whether that's a signature block, sign off, or just an acknowledgement that management does support its policies will be completely useless. If the business, by way of management commitment, isn't fully supportive of the policy, I can write policy until I'm blue in the face, it's just going to be a document that no one cares about, unless Management supports it and ultimately uses it. If someone's going to violate policy, use it to properly hold those people accountable. 

Going back to the example here, of university, or excuse me, Chicago, city of Illinois, you can see they've got their policy right here. And within the section you can see they have responsibilities and oversight, and then they start breaking it up right, we talked over here about the NIST 800-53. We talked about these different ones like physical and environmental, you can see here, they've got that as a subsection within there, along with acceptable use, access control, network security, so you can see again, Using the 800-53 as your basis, you can really define the scope of where you'd want to have information security policy, whether at a high level, or , as detailed as this gets. So getting back in here, you can see continuity management. And then they have, that compliance piece down here that I was talking about. 

So just just looking through these, right, they have some explanations of what the policy overview is, this is incredibly detailed, if you are going to be working at an organization that maybe doesn't have formal information security program, or they're just getting stood up or whatever, you wouldn't really have this depth of policy, you might just have the information security policy, which outlines that, people will protect information, people won't access things that they shouldn't, etc, etc. But this is a great one as an example, and I'll provide a link to this in the course materials. But this is a great one to give you that exposure to understand what exactly a policy could look like, right? 

A policy may state all business information must be adequately protected when being transferred. That's just an example of a policy statement. We've got another one here from the state of Louisiana. You can see this is their information security policy. Again, it's going to be rather high level, here we go. This is that management commitment. Right. So this, this , validates that they have reviewed and approved in support this policy. It is kind of standard to have like, most recent revisions, section, which is what this says, but not really required contact information for people who wrote it. Very good. And then now we have our actual policy, right? 

See if they actually have roles in support functions, right? Who, who is involved with executing the information security policy, they've got all these, examples here, instead of breaking it out into, an access control policy awareness and training policy. Louisiana wisely has baked it all into one single policy document, right. So they've got their change management stuff here, their network communication stuff, vulnerability management. Again, you don't need to understand what vulnerability management is or how to execute on it. The point of what I'm trying to share with you here is that the information security policy to find how the organization is going to handle whatever it is, in this case, vulnerability management, I click on it just to go down. 

Here's the purpose and scope I mentioned. So what's the intent? And who does it affect? Just to use this one as an example, the ability to manage vulnerabilities is crucial, yes, a little background, all devices, this is scoping, all devices, systems and applications only manager utilized by any individual conducting business shall be managed in accordance with this section. So all devices that somehow are involved with the state, Louisiana, are held liable to this right. So this is just a quick little example of a policy right? If a user becomes aware of a vulnerability applicable to any of these assets, they shall inform the information security team. Okay. So basically, the policy is saying you have to let people know, if there's vulnerabilities right. 

You can see going on here that the Information Security Office is responsible for conducting vulnerability scans. That's a policy state well, that's less of a policy statement, and more of like, just assigning accountability. 

But here's a policy statement. Vulnerability testing shall be performed on all, network operating system, database, and applications which store, use or transmit any of this level of data. So they're defining when you're going to be doing the information, the vulnerability scanning, okay? 

If you don't know where to start, you can download templates, right? So this is a great example, if you said Information Security Policy template, you don't know where to begin. Here's one from health it.gov As an example, you can see it's right here. And we'll go ahead and download it and take a look at it. Now this one is way, way overkill, really, for what you would need as to begin with, but just as an example, I'm going to just jump ahead really quickly. 

You can see this is a template and they've got all these things I mentioned right purpose scope, so acronyms and definitions that not necessarily warranted or really required, but they've got some extra sections in here which we could dash out if we need too, you can see that they cover all sorts of specific sections like identity verification and authentication, acceptable use network connectivity. Again, if you wanted to, you could really trace it and trace it directly to each of these pretty much. But looking at it, let's go on down. So in the template, you could say, you can edit this as much as you want. But it'll give you an example of what an information security policy can look like. 

This is a bit overkill, when we do the practical lab section, we will not use something as detailed as this. But what you need to understand I guess, from this particular section is policy can be very comprehensive, but at the end of the day, it is merely stating what the what is acceptable, or what is the behavior that will be expected from the organization, the depth and scope of it all can be as high level as just an information security policy, or it can trickle all the way down into these very specific sections like access control and vulnerability management policies. 

Now that we've defined, for example, that , user accounts will be protected with a single factor of authentication, that is a policy statement. Remote Access connections will be protected with multi factor authentication. Okay, so that is two policy statements. Pretty clear. We'll continue to use that example. As we move through the next couple of sections with standards and procedures. You'll note, it's a policy statement, I didn't say what type of authentication or what type of accounts, I just said, remote, external accounts, like accessing cloud systems or accessing anything from the internet. And I said, single factor of authentication versus, multifactor. So we'll get into the standards that talk about defining, values for these types of policy statements. So what are the acceptable forms of authentication? How much longer can a password be doesn't having to be complex? What type of systems might warrant remote, be counted as remote. 

So let's move into the standard section and get that sorted out. I'll see you in the next section.

Complete and Continue