What is a security policy?

An information security policy is a formal, high-level statement or plan that embraces an organization's general beliefs, objectives, goals, and acceptable procedures for information security. It defines a set of rules, procedures, and policies designed to ensure that all end users and networks within an organization have IT security and data protection security.

A security policy basically is a written document. The document consist of policy and statements that outlines how to protect the organization from attacks and threats. the members of the company should know about the detailed updated security policy.

The another main objective of security policy is to preserve integrity, confidentiality and availability of systems and information used by the members.

Purpose of information security policy

A set of regulations that guide individuals who deal with IT assets is known as an Information Security Policy (ISP). To ensure that your staff and other users follow security policies and processes, organizations must adopt an information security policy.

The organization creates ISPs to

• Make users understand how to protect the organization's confidential resources from security threats.
• It secures the credentials of their customer such as banking information, credit card details and so forth.
• Provides access to services and key information technology assets to those who are authorized to do so.
• Provides effective and standard mechanisms to respond to several complaints related to cyber security risks such as malware, ransomware, and phishing.
• Detects the impact of compromised information assets such as misuse of network and data, mobile devices, system information and application.

Framework of security policy

The hierarchy of security policy framework.

Security policies

There are three types of security defined by the management. These are:

• General or security program policy
• Issue-specific security policy
• System-specific security policy

Security Program Policy (SPP)

It is also known as a general security policy, information security policy or IT security policy. The general security policy describes the whole organization's security objectives and its commitments for information security policy. It is a primary document from which other security policies are derived. In addition, it specifies the organization's compliance goals.

Issue Specific Security Policy (ISSP)

ISSP provides the guidelines for specific threats. An organization may create a security policy that focuses on phishing attacks, malware attacks, email security, etc. There are various processes and technologies used within the organization and therefore, specific guidelines are necessary to guarantee proper usage.

The guidelines of ISSP:

• ISSP addresses the specific areas of technologies and software.
• It requires frequent updates.
• It contains an issue statement that states the organization's position on the issue.

Three main approaches of ISSP:

• Create several independent ISSP documents.
• Create a simple comprehensive ISSP document.
• Create a modular ISSP document.

Example:

• Statement of policy.
• Violation of policy.
• Policy review and modification.
• System management.
• Prohibited uses of equipment

System-Specific Policy (SysSP)

System-specific security policy aims to focus on the information security policies of particular systems such as policies for customer-facing applications, payroll systems, or data archival systems. While issue-specific policies are formalized in a written document, the system-specific security policy is defined as standards and procedures used when configuring and maintaining the system.

Security standards

It is below the level of policy in the hierarchy. It specifies the guidance, defining the instruction or methods where policies are used to create the strategic documents and standards which are tactical documents that provide a course of action. Compliance with standards is necessary.

Security guidelines

It is a recommendation and practical guidance to help the staff implement standards and baselines. It targets all levels of staff including both general users and security professionals. These guidelines are flexible in nature.

Security procedures

It is the bottom layer of the security framework. It defines all the procedures that provide step-by-step instruction which guides the staff on how to correctly implement specific security controls.

Types of security policy

The main types of security policies are:-

An organizational security policy- This security policy describes the organizations security policy as in whole and also defines its assurance to information security. One can understand it like a parent security policy. All the security policies are derived from this. It also defines the organizations goals.

System-specific security policies - this security policy mainly focuses on security policy of a particular system. the example of this can be :payroll system, data archive system and customer-facing application.

Issue-specific security policies- this type of security policy focuses on particular issues. such as Threat and categories of threat. For example, It may be possible that an organization has an implementation of security policy on phishing attacks only or some other category of threat.

Elements of security policy

There are 8 elements of security policy

Purpose

The purpose of security policy is to create the approach of information security. It detects the information security threats such as misuse of networks, applications, software, computer systems. It maintains the reputation of organizations and legal responsibilities. The main purpose is to respect the customer and aims to fulfill customer requirements.

Audience

It defines the audience to whom the IT security policy applies and identifies those audiences which are out of the scope of the computer security policy. It defines customer requirements and statements also.

Information security objectives

Information security is a set of tools used to protect the digital and analog information. Its protection covers a range of IT domains as well as computer security. The main guideline of information security policy is to use tools like authentication and permissions to restrict an unauthorized user from accessing private and sensitive information. This protection helps to prevent information theft and modification or loss. The security measures of ISP consist of three main objectives also known as CIA.

Confidentiality

Confidentiality ensures the protection of secret and sensitive information from unauthorized users. It is a key feature of cybersecurity policy also. It uses multi-factor authentication, encryption, strong password, and segregation of data to maintain the access restriction. Security breaches of confidentiality occur due to human error or malicious event. It also protects from third-party software.

Integrity

In The world of security policy, Integrity defines the completeness and accuracy of the data. Integrity is important so that no one can modify the data and no one can misuse the data. Integrity ensures that the consistency and trustworthiness should be maintained over the whole life cycle. It also involves that during the transmission of data the data should remain unchanged. And, all the precautionary steps should be taken by the organization so that unauthorized user cant have an access of the confidential data.

Availability

Availability ensures that authorized users can reliably access the information. It is maintained through continuity of access procedures, backup, and duplication of information. It ensures the maintenance of hardware and network connections as well. When the network is attacked due to natural disasters, or when client devices fail, this situation is called the loss of availability.

Authority and access control policy

This element follows the hierarchical pattern. The security policy may have different terms for a senior manager, junior manager, or company employee. A senior manager may have the right to decide what data can be shared and with whom. Users have unique login IDs and credentials provided by the company which is used for the authentication of users.

Data classification

It classifies the data like top-secret data, secret data, confidential data, and public data. The objective of classifying data is to ensure that the sensitive data is protected from individuals and private data is protected from public access.

Data support and operations

It supports data backup, movements of data, and data protection. Data backup is necessary for security measures. To store backup media and move back up to the cloud for further procedure. Systems that store personal data or sensitive information must be protected according to industry compliance standards.

Security awareness and behavior

It provides training programs to educate the employees regarding security procedures and mechanisms. It follows three guidelines:

• Clean desk policy.
• Acceptable internet usage policy.
• Social engineering.

Responsibilities, rights and duties of personnel

It describes the responsibilities of company employees, appoints staff to carry out the user access reviews, comments, and manage security incidents. Responsibilities, rights, and duties are clearly defined as part of IT security. This is the most important requirement in Cyber security.

Common Mistakes

There are common mistakes to understand confidentiality, availability, and integrity. Confidentiality is related to the authenticity of the software, it protects the system from unauthorized access. Integrity prevents documents from unauthorized modifications. Availability ensures that the system is available for the authorized user whenever is needed.

Context and Applications

This topic is significant in the professional exam for graduate courses, especially for:

• Bachelor of Technology in Computer science
• Bachelor of Technology in Information Technology

Related Topics

• Data Breaches
• Safe computing
• Mobile Protection
• Physical security

Practice Problems

Q1: Which of the following refers to the violation of the principle if a computer is no more accessible?

1. Availability
2. Confidentiality
3. Access control
4. All of the these

Correct answer: a. Availability

Explanation: If the system is no longer accessible, it is a violation of principle Availability.

Q2: In CIA what is the meaning of C

1. Computer
2. Confidentiality
3. Connectivity
4. None of the above

Correct answer: b. Confidentiality

Explanation- CIA is the main security measures in ISP.C-Confidentiality, I-Integrity, A- Availability.

Q3: Security policy divided into how many categories?

Q4: A cyber attack is any offensive maneuver that targets?

1. Computer networks
2. Infrastructure
3. Computer information system
4. All

Correct answer: d. All

Explanation- A cyber attack is an attempt to disable computers, steal data, or utilise a compromised computer system to launch further attacks. It target computer network, infrastructure and computer information system.

Q5: SPP is part of

1. Policies
2. Standards
3. Guidelines
4. Procedures

Correct answer: a.Policies

Explanation- The full form of SPP is Security Program Policy. and it is a part of security policies. There are three types of security defined by the management. They are general or security program policy, issue-specific security policy and system-specific security policy.