|
Security Program
Categories of policy:
- Regulatory
- Advisory
- Informative
Security Policy:
Is a general statement produced by senior management to dictate what type of role security plays within the organization.
Are written in broad and overview terms to cover many subjects in a general fashion.
- Organisational security policy: Provides scope and direction for all further security activities within the organization.
- Issue-specific policies: Addresses specific security issues that management feels need more detailed explanation and attention to make sure a comprehensive structure is built and all employees understand how they are to comply to these security issues.
- System-specific policy: Presents the management's decision that are closer to the actual computers, networks, applications and data.
Standards:
Specify how hardware and software products are to be used. They provide a means to ensure that specific technologies, applications, parameters and procedures are carried out in a uniform way across the organization.
These rules are usually compulsory within a company and they need to be enforced.
Baselines:
Provides the minimum level of security necessary throughout the organization.
Guidelines:
Are recommendation actions and operational guides to users, IT staff, operations staff and others when a specific standard does not apply.
Procedures:
Are step-by-step actions to achieve a certain task.
Procedures are looked at as the lowest level in the policy chain.
Data Classification
The primary purpose of data classification is to indicate the level of confidentiality, integrity and availability that is required for each type of information.
It helps to ensure that the data is protected in the most cost-effective manner.
Common classification levels (from highest to the lowest level):
Commercial business ->
- Confidential
- Private
- Sensitive
- Public
Military ->
- Top secret
- Secret
- Confidential
- Sensitive but unclassified
- Unclassified
|
|
