MD1 Risk and asset security: Elements of a security plan Flashcards
Elements of a security plan
Security plans consist of three basic elements:
Policies
Standards
Procedures.
These three elements are how companies share their security plans. These words tend to be used interchangeably outside of security, but you’ll soon discover that they each have a very specific meaning and function in this context.
Policy
A policy in security is a set of rules that reduce risk and protects information. Policies are the foundation of every security plan. They give everyone in and out of an organization guidance by addressing questions like, what are we protecting and why? Policies focus on the strategic side of things by identifying the scope, objectives, and limitations of a security plan. For instance, newly hired employees at many companies are required to sign off on acceptable use policy, or AUP. These provisions outline secure ways that an employee may access corporate systems.
Standards
Standards are the next part. These have a tactical function, as they concern how well we’re protecting assets. In security, standards are references that inform how to set policies. A good way to think of standards is that they create a point of reference. For example, many companies use the password management standard identified in NIST Special Publication 800-63B to improve their security policies by specifying that employees’ passwords must be at least eight characters long.
Policies
The last part of a plan is its procedures. Procedures are step-by-step instructions to perform a specific security task. Organizations usually keep multiple procedure documents that are used throughout the company, like how employees can choose secure passwords, or how they can securely reset a password if it’s been locked. Sharing clear and actionable procedures with everyone creates accountability, consistency, and efficiency across an organization.
