CySA+ domain #12: Frameworks, policies, controls and procedures
The policy of any organization is the set of best practices and guidelines that protect business, customers and employees. Most often, the policy is created and based on the best practice frameworks established by popular industry groups, such as Payment Card Industry Data Security Standard (PCI-DSS) and National Institute of Standards and Technology (NIST). In addition, organization policy in several cases is also directed and influenced by the external compliance obligations that regulators impose on the company.
In this article, we will delve into frameworks, policies, controls and procedures, as well as their relations with one another. CySA+ candidates must understand and grasp these topics to take and pass the CySA+ exam.
Regulatory compliance is the process of implementing security measures that are essential to comply with laws, regulations and guidelines that ensure business continuity. Organizations must adhere to regulatory compliance. Noncompliant organizations may have to face a legal punishment under laws such as the General Data Protection Regulation (GDPR).
A cybersecurity framework is the set of measures, practices and rules established with the help of governmental institutions and local businesses to ensure the safety of organizations’ IT environment by overseeing cybersecurity risks and vulnerabilities and helping them to understand and strengthen their management of cybersecurity risks. Below is a list of some objectives related to the cybersecurity framework:
- Define the current security posture
- Define target security posture
- Continuous improvement
- Measure progress towards target posture
- Identify communication risks
From the CySA+ exam viewpoint, some important frameworks include the National Institute of Standards and Technology (NIST), International Standard Organization (ISO), Sherwood Applied Business Security Architecture (SABSA), Control Objectives for Information and related Technology (COBIT), Information Technology Infrastructure Library (ITIL) and lastly, The Open Group Architecture Framework (TOGAF).
An organization’s information security policy is a set of high-level statements issued by a company to ensure that employees within such company or its network adhere to rules and guidelines with regard to the data which is stored digitally within company’s boundaries of authority or at any point in the network. The following sections will help us gain insight into some policies that are mandatory for the CySA+ exam.
A password policy consists rules used to define password length in order to determine whether a new password is valid or not. For example, password strength may include using a minimum of eight characters, as well as utilizing at least one capital letter and/or a special character(s).
Your system may incorporate Personally Identifiable Information (PII). whose protection is necessary to avoid data breach and compliance issues. Therefore, a strong password policy is vital to protect employees’ PII information.
Password rules may include the following standards:
- Specifying a minimum password age, usually three months
- Minimum and maximum length
- Disallowed user IDs or usernames
- Password reuse frequency
- Character restrictions
Acceptable use policy
An acceptable use policy (AUP) is the document that comprises some rules that must be followed by users or employees to gain limited access and constraints to available services or resources in an organization. Various educational facilities and enterprises require students or employees to sign an AUP before granting a network ID. AUPs may prevent users from using Facebook or YouTube during office time.
Data ownership policy
A data ownership policy defines whether a user has a partial, full or no rights to the ownership of data. In fact, data ownership is a part of the data governance effort that specifies the company’s legal ownership of enterprise-wide data.
Data retention policy
In organizations, data is destroyed after a specific period of time when its purpose has been achieved or the company no longer needs it. A data retention policy defines a time period for different categories of data, and such data is retained until its expiration date is reached.
Account management policy
The account management policy stipulates an account life cycle from provisioning through the active use and then decommissioning.
Data classification policy
A data classification policy governs the management of data to certify that sensitive or confidential information is handled well with respect to threats it poses to a company. Doing so can help to categorize data based on its sensitivity, such as data related to national security, military or business secrets.
Organizations implement some security controls to ensure the security of its IT environment. However, these security controls must be selected based on the criteria and parameters that the organization selects for its environment or may be imposed on it by the outside regulator. For example, the company must be required to implement necessary controls to ensure the confidentiality, integrity and availability of data to customers.
The following sections delve into some security controls that are also a part of CySA+ exam.
Physical controls are necessary to ensure the physical security of an organization’s IT infrastructure. These controls encompass burglar alarms, locks, lighting, mantraps, perimeters, fences and fire suppression system.
Unlike physical controls, logical controls involve technical controls that are implemented digitally or in a software form. Examples of logical controls include encryption, antivirus, firewall rules, IPS, IDS, SIEM, SOAR and Access Control Lists (ACLs).
Administrative controls are vital to implementing security management practices in an organization. Examples of these controls incorporate separation of duties, principle of least privilege, and user account reviews.
Procedures are a series of actions carried out in a certain order or manner. Organizations and individuals must follow procedures in specific situations. Procedures, in fact, help to achieve the company’s security endeavors. The following procedures are common in the organization’s policy framework:
Continuous monitoring procedures cover the company’s security monitoring activities, such as using an effective threat intelligence and 24/7 monitoring of the IT environment through a Security Operation Center (SOC).
Evidence production procedures stipulate how a company will respond to a legal request to produce digital evidence. Legal requests can be a court order, legal notice or noncompliance notice.
Organizations may involve thousands of systems and applications whose periodic, physical and digital maintenance is indispensable. Patching is one of the essential components of digital maintenance. Patching procedures, therefore, involve the process of applying patches to systems and applications under the supervision of security analysts.
Compensating controls, also known as alternative controls, are mechanisms implemented to meet requirements for security measures that are deemed too difficult to implement at the present time.
Control testing procedures
In previous sections, we have studied some security controls such as physical controls, logical controls, and administrative controls. Control testing procedures involve some guidelines to test these security controls and verifying whether they are working properly.
Verification and quality controls
It is vital to verify that all security controls are tested and functioning properly. Organization’s security program should comprise procedures for carrying out regular tests of security controls and supplement those informal tests with a formal evaluation of the enterprise’s security effort. These evaluations can be performed through audits, evaluations, assessments, maturity models and certification.
The bottom line (conclusion)
It needs to be stressed that cybersecurity frameworks, common policies, controls and procedures have paramount importance in achieving the overall security endeavors of any organization. These are all sets of technical documentation that contain rules and guidelines to achieve a specific security target. The CySA+ candidates must grasp all these topics to take and pass the CySA+ exam with an elite score.
- Regulatory Compliance, TechTarget
- Regulatory Compliance, Safeopedia
- A Beginner’s Guide to Cybersecurity Framework, Edureka
- Information Security Policy, Techopedia
- Password policies, IBM
- Creating Strong Password Policy Best Practices, Digicert
- Acceptable use policy (AUP), TechTarget
- What is a Data Classification Policy? Digital Guardian
- Compensating control (alternative control), TechTarget