the relationship between cybersecurity policies; standards, and guidelines.

By / June 21, 2020 / Leave a Comment

Information security policies, standards, and guidelines work together – like an engine – through which the objectives of an organization’s cybersecurity program are achieved. Policies define the institution’s control environment through a governance structure and provide descriptions of required, expected, and prohibited activities. Generally, policies spell out the decisions of policymakers. In turn, this decision dictates the acceptable activities of users; developers, administrators; and managers in conformity with their individual information security responsibilities. Standards and guidelines are important in bringing to life the soul of policies. However, more often than not, there are inherent limitations in the operability of security policies in an organization including:

  1. Applicability. This can arise in instances where policies do not address or provide a solution for a challenge. This might be because such challenge was not anticipated by policy makers.
  2. Ambiguity. Another instance is when the provisions of a policy appears vague and ambiguous. Here, sensitive time might be consumed in figuring out what actions are necessary in reacting to a security incident.
  3. Awareness. In some cases, personnel responsible for adhering to a procedure might not a proper understanding of the procedure. This could be due to recent changes to the policy, or simple due to unawareness.

Relationship between Policies, Standards, and Guidelines

Policies are implemented through standards and guidelines. Standards relate to tools appropriate to achieve the security objectives set forth in the enterprise policies. Standards are applicable to physical elements or tools for achieving enterprise goals. They include technology, facility, and human resources. An example of standards is the requirement for the use of open-source software in the acquisition phase of the Software Development Life Cycle. Guidelines, on the other hand, set parameters for the behavioural element of the use of standards which are set to achieve the objective of the enterprise security policy. These include conducts and actions expected of an employee, partner, contractor, and, in some cases, customers. An example of guidelines is the requirement of an employee to properly verify that an individual has legitimate access before gaining entrance into a facility.

Policy and Standards: Technology

While technology serves as a mitigation tool, it is the major conduit for risk introduction. Management must understand the benefit and limitation of the technology that it uses. For example, it need to conduct a quarterly capability maturity test to reveal whether other types of controls are necessary to compensate for any identified limitations. However, there may be weakness in the following instances;

  1. When software is not updated and guarded against virus and other forms of malware
  2. Issues with hardware leading to system breakdown
  3. When there is incoherence between technology and the rule governing its use against defining and identifying threats
  4. Cyber threats changes rapidly in such a way that was not anticipated by the designers, and
  5. When the output of controls is giving unintended results. Management should continually assess the capability of the institution’s processes, people, and technologies to sustain the appropriate level of information security based on the institution’s risk profile, size, complexity, and risk appetite

Considering this weakness, an organization must develop standards to ensure the use of technology is consistent with industry and specialized association’s procedures. Management must continuously deploy innovative techs that can enhance the organization’s security culture through communicated and implemented standards.

Policy and Guidelines: People

People (employees) are the engines that develop, execute, and implement policies, standards, and procedures. For the people to carry out their duties as expected, management must engage them in a continuous learning process. These learning processes are basically ways of communicating guidelines to employees applicable to their line of business within the organization. An organization must develop a strategy of ‘creating a learning organization’ as a tool of implementing guidelines which ultimately detects how it achieves its objectives. This strategy focuses on creating learning platforms to (a) support executive decision making, and (b) operator/operations support, including employees in Security Operation Centers, and Cyber Fusion Centers

Management relies on people throughout the life cycle of information security. In most cases, controls are implemented to prevent, detect, and correct security incidence of all forms. For example, access controls to systems that prevent unauthorized persons can be a good way of preventing fraud. Until this opportunity is owned and exhausted, this area remains a weakness and vulnerability from the people perspective. Because of this, guidelines are very important in ensuring that the weaknesses inherent in people are contained. However, the following are other weaknesses from the people perspective;

  1. Fraudulent and trusted individuals who have access to, or knowledge of security controls
  2. Lack of awareness of policies, standards, and procedures
  3. Lack of talent or required knowledge of threats
  4. Lack of communication between personnel
Share

Leave a Comment

Your email address will not be published. Required fields are marked *