CISSP prep: Security policies, standards, procedures and guidelines
This article is part of our CISSP certification prep series. For more CISSP-related resources, see our CISSP certification hub.
Information security is one of the most important elements determining the success and longevity of organizations. Trained and knowledgeable information security professionals have become must-haves for organizations that want to take the next big step.
The CISSP certification, which is vendor-neutral and supported by the International Information System Security Consortium or (ISC)², is a powerful tool that information security professionals should obtain if they want to keep in step with the ever-evolving risks and threats in cyberspace. Professionals such as security managers, security consultants, security analysts, IT directors, security architects, and security systems engineers, among others, should be armed with a CISSP certification.
Organizations, particularly the upper management or policy board, need to create security policies that clearly establish the role and importance of security within the organization. There are also key guidelines and factors to be considered when creating these policies, such as making sure that the words being used are not heavy on technical jargon and are easy to understand, and that they clearly state the organization’s mission statement for security along with the business objectives. Moreover, these policies should be forward-thinking and should be reviewed and updated whenever there are significant changes within the organization.
With the CISSP exam being known for its broad and diverse set of questions, which revolve around the eight domains, namely, Security and Risk Management, Asset Security, Security Engineering, Communication and Network Security, Identity and Access Management, Security Assessment and Testing, Security Operations, and Software Development Security. Interested parties should take time to carefully understand and study the various subjects and topics that the exam covers. Some of the toughest ones that will be tackled in the exam are Security Policies, Standards, and Procedures and Guidelines, which fall under the Security and Risk Management domain.
What types of security policies does the CISSP exam cover?
There are three different types of security policies that are covered in the exam: regulatory, advisory, and informative. It is crucial to deeply understand these three different types of policies.
- Regulatory. A regulatory policy sees to it that the company or organization strictly follows standards that are put up by specific industry regulations. Regulatory policies usually apply to public utilities, financial institutions, and other organizations that function with public interest in mind. An example is the changes in local Texas state laws that took place about a decade ago, which requires companies to retain records of patents and inventions of their employees.
- Advisory. This type of policy works by strongly advising the employees of an organization about which activities and behaviors are allowed or prohibited according to standards set by the organization. Though the tenets under this type of policy may not be mandatory in nature, there are still serious consequences that could apply when violations take place. In some organizations, the sanctions range from serious warnings all the way to termination from the position.
- Informative. This type of security policy simply aims to inform without any requirements, whether implied or specified. Generally, informative policies are crafted to enlighten the organization’s employees. A good example is an employee ombudsman partnering with the Human Resources department to advocate for the company’s employees when it comes to investigations of complaints.
- Organizational Policy. This can be considered as the blueprint of the organization’s security program. It embodies the strategic plan of how the organization should implement their security procedures and guidelines for computer system, among others.
- System-Specific Policy. This type of policy deals with a particular individual computer system. Basically, it works to present the approved hardware and software for that particular computer system.
- Issue-Specific Policy. Lastly, this policy zooms in on a particular functional aspect that needs more focused attention. Considering the requirements under the policy, organizations create a separate sub-policy that specifically covers and addresses the level of security needed. Some examples are email policies, change management policies, encryption policies, access control policies, and vulnerability management policies, to name a few.
Security standards in the CISSP exam
One of the eight CISSP domains included in the exam is Security and Risk Management, under which security standards fall. Standards are more specific than policies and are considered to be tactical documents, which present more detailed steps or processes that are necessary to meet a specific requirement.
Security standards play a vital role in organizations and their unquestionable relevance is apparent when policies have no technology drivers. This instance requires standards that can be used by information security analysts in their mandatory mechanisms to implement the policies. A perfect example is when a standard sets a mandatory requirement, such as that encryptions must be applied to all email communications.
Guidelines and procedures: What you need to know
Another part included under the Security and Risk Management domain is Guidelines and Procedures. How are these defined and what are the similarities and differences between policies, procedures, standards, and guidelines? To get a clearer understanding of these terms within the context of information security, a look at their respective definitions would be beneficial.
A guideline is a statement in a procedure or policy that determines a specific route or course of action. It could come in the form of a recommendation or suggestion on how things ought to be done and is also flexible and amenable to changes, depending on what the needs of the situation call for. There are information security professionals who may tend to confuse guidelines with best practices and it is imperative to note that the two serve two different purposes. Guidelines determine a recommended course of action, while best practices are utilized by organizations to measure and gauge liability.
Procedures are the most specific type of security document. They are characterized by their very detailed, step-by-step approach toward implementing security standards and guidelines that support the policies.
Procedures are often used in the configuration of operating systems, network hardware, and databases. Furthermore, procedures are used in instructing how to add new software, systems, and users, among others. Since organizations differ from one another and no two organizations are exactly the same, procedures will likewise differ between organizations. However, there are certain types of procedures that may be present in most, if not all organizations, such as the following:
- Incident response–These are procedures that direct members of the organization on how to detect an incident and how to respond accordingly. A step-by-step guide as to when the management, as well as external parties like law enforcement agencies, should step in and take over.
- Auditing–Since auditing is an integral and sensitive matter, procedures should include details on what to audit, why the audits are being done, and how to maintain the audit logs.
- Environmental/Physical–Examples of such procedures cover the protection of Ethernet cables and keeping them safe from wiretapping attempts, as well as controlling the room temperatures where key equipment is stored.
- Administrative–This type of procedure helps to distinguish and separate the tasks and duties of employees who are directly in charge of the organization’s systems. An excellent example is showing that database administrators should not meddle with the company’s firewall logs.
- Configuration–This type of procedure deals with operating systems, firewalls, and routers, to name a few.
After creating procedures, the next step is implementation. Through commitment that starts from the upper-management levels, each and every employee of the organization will begin to take the policies seriously, seeing the leadership by example that the bosses are practicing, and will avert any blunders that could be detrimental to the organization’s growth and success. It is a must for everyone in the organization to be aptly trained in maintaining the set policies and training should be administered on a regular basis, with a complete and concise training program.
Policy/standard procedure hierarchy
When discussing Policies, Standards, and Procedures, there is a hierarchy, in which the relationships among the three are broken down in detail. It can be noted that there are two schools of thought, presenting two different approaches that organizations can use to pattern their information security initiatives.
The first approach places standards at the top of the hierarchy, highlighting that technology remains relatively constant despite the possibility of changes in the information security policies of the organization in line with the changes in requirements. As a result, the policies become subject to standards that are deemed to be overarching.
On the other hand, the second school of thought puts policy over standards, which means the requirements of the organization determine the type of technology that is going to be used. In this case, the standards depend on the requirements that are outlined in the policy. In CISSP, policy comes above standards.
Following a guide based on the level of importance, policy comes first, as embodied in a recommended high level statement that protects information within the organization and lays out the business rules for consistency and fairness in relation to the staff and, at the same time, ensures compliance. Examples are email policies, internet policies, and dress code policies, to name a few.
Standards follow, as they establish an acceptable level of attainment or quality and present mandatory controls that are low and quantifiable. Examples are standard size and standard of living. Procedures follow, presenting a series of steps in a detailed fashion that will eventually lead to a specific end. Examples are standard operating procedures. Lastly, guidelines provide additional advice about how to act or react in a certain situation. It is recommended but not mandatory, like screening guidelines and employment discrimination guidelines, to name a few.
In a nutshell, a policy aims to identify the issue and scope and deals with the question, “Why do I need to do this?” while a standard assigns quantifiable measures and deals with the question “what is required?” Procedure, on the other hand, establishes the proper steps to be taken and answers “How do I do it?” whereas guideline provides recommended guidance to supplement the first three.
With eight different domains being covered by the CISSP exam, it is the exam taker’s responsibility to cover all domains and all of their respective sub-topics and intricacies. Months before taking the exam, prospective takers can invest in various books and exam guides that cover, not only Security and Risk Management, but also the seven other domains. It is also advisable to take online practice exams and watch video reviews online.
As far as having the right approach, it is best to know the correct order of processes or activities. Master the hierarchy of Policies, Standards, and Procedures, and identify the types of risks, threats, and challenges that affect each one of them. Moreover, familiarize yourself with examples for every type of security policy to avoid confusion and mix-ups when taking the test.
Information security involves valuable data which, if compromised, could bring down an organization. Policies, standards, procedures, and guidelines all play integral roles in security and risk management. Understanding their complexities will enable information security professionals to perform their tasks and duties at a high level, necessary for protecting data from various kinds of risks, threats, and attacks in cyberspace.