CISSP Domain 1 Series: Key Concepts – Security Policy, Standards, Procedures, Baseline, and Guidelines

Comprehensive Framework for Security Policy, Standards, Procedures, Baseline, and Guidelines

1. Security Policy

Definition: A security policy is a high-level document that outlines an organization’s overall security posture, goals, and objectives. It provides the foundation for all other security-related documents and practices.

Key Points:

• Purpose: Defines the organization’s approach to managing security, including roles, responsibilities, and enforcement mechanisms.
• Scope: Covers all aspects of security within the organization, including physical, network, and information security.
• Approval: Typically approved by senior management or the board of directors.

Example:

• All employees must use multi-factor authentication (MFA) to access sensitive systems.
• All servers must be properly hardened.

Manager’s Perspective: From a managerial viewpoint, the security policy sets the tone for the organization’s security culture. It is crucial for managers to ensure that the policy is clear, comprehensive, and aligned with business objectives. Managers must also ensure that the policy is communicated effectively to all employees and that compliance is monitored.

2. Standards

Definition: Standards are detailed, mandatory rules designed to support and enforce the security policy. They provide specific technical and operational requirements.

Key Points:

• Purpose: Ensure consistency and uniformity in security practices across the organization.
• Details: Include specific criteria, such as encryption standards, password requirements, and network configurations.
• Enforcement: Compliance with standards is mandatory.

Example:

• MFA must be implemented using a combination of something you know (password) and something you have (token or mobile app). All MFA solutions must support time-based one-time passwords (TOTP).
• Administrators must use Windows 2008 as the base operating system.

Manager’s Perspective: Managers need to ensure that standards are practical and achievable. They should facilitate the development of standards by involving subject matter experts and ensuring that they align with the overall security policy. Managers must also ensure that compliance with standards is regularly reviewed and enforced.

3. Procedures

Definition: Procedures are step-by-step instructions on how to implement security policies and standards. They provide detailed guidance on performing specific tasks.

Key Points:

• Purpose: Provide clear instructions for employees to follow, ensuring consistent and correct implementation of security controls.
• Details: Include step-by-step actions, tools, and resources needed to perform tasks.
• Flexibility: While procedures should be followed closely, they may be updated as needed to adapt to new threats or changes in the environment.

Example:

• Step-by-step guide for setting up MFA
  • Log into the user account portal.
  • Navigate to the security settings.
  • Select ‘Enable MFA’.
  • Follow the prompts to set up the authentication app.
  • Scan the QR code with the authentication app.
  • Enter the code generated by the app to confirm setup.
• The template should be applied when a system is built.

Manager’s Perspective: Managers should ensure that procedures are clear, detailed, and accessible to those who need them. They should also ensure that employees are trained on the procedures and understand their importance. Regular reviews and updates of procedures are necessary to adapt to changing security landscapes.

4. Guidelines

Definition: Guidelines are recommendations and best practices designed to help employees and managers make informed decisions about security. Unlike standards and procedures, guidelines are not mandatory.

Key Points:

• Purpose: Provide advice and suggestions to help achieve the goals set out in the security policy and standards.
• Flexibility: Offer flexibility and discretion in implementation.
• Details: Might include best practices for secure coding or recommendations for configuring firewalls.

Example:

• Best practices for using MFA:
  • Use authentication apps over SMS for better security.
  • Regularly update your passwords even with MFA enabled.
  • Do not share your authentication tokens or devices with others.
• To ease the application of templates, local GPOs can be used to roll out the changes.

Manager’s Perspective: Managers should encourage the adoption of guidelines to enhance security practices. While not mandatory, guidelines can significantly improve the organization’s security posture when followed. Managers should promote awareness and understanding of guidelines and encourage their integration into daily operations.

5. Baselines

Definition: Baselines are a minimum set of security standards for a specific system or process. They serve as a benchmark to measure and maintain the level of security.

Key Points:

• Purpose: Provide a reference point for maintaining and improving security.
• Details: Include specific, measurable criteria for security configurations and settings.
• Enforcement: Used to ensure that systems comply with organizational security standards.

Example:

• All user accounts must have MFA enabled. Systems should be configured to enforce MFA at the login screen and require periodic re-authentication.
• The specific settings for Windows 2008 should match those in the CIS security template.

Manager’s Perspective: Managers should ensure that baselines are established for all critical systems and processes. They should regularly review and update baselines to adapt to new threats and technological changes. Compliance with baselines should be monitored and enforced to maintain a consistent security posture.