In the previous article 《
Review information security governance (3)J0ker introduced information classification as a tool to make the security plan of the Organization more effective, information classification plays an irreplaceable role in the preparation of security plans. After completing risk analysis and information classification, what should I do next in the security plan? This is the preparation of a series of security documents, such as policy/standard/baseline/Guideline/procedure, to be introduced in this article.
The ultimate goal of an information security plan is to protect the integrity, confidentiality and availability of the information assets of the target organization, and to address various threats to information assets, such as unauthorized access, tampering, destruction, and leakage, but often damage the information assets of an organization. This situation requires organizations to include information security plans in the asset protection plan of the entire Organization. In addition, information security technology cannot completely protect information assets from various threats, for organizations, more protection efforts should or can only be achieved through governance measures. Therefore, to successfully implement a security plan, you must ensure that everyone in the Organization understands and supports the security plan. In this case, you need to use the security policy and standard) security bottom line (baseline), Security Guide (Guideline), and security process (Procedure) are a series of security governance measures to help each organizational unit member understand the security plan and regulate the behavior of organizational unit members.
As the person in charge of the security plan, the Organization's information security director is usually responsible for formulating and deploying the Organization's security policies, standards, guidelines and security processes, he often draws people from the IT department to develop these security documents. IT technology background sometimes helps information security administrators understand the technical aspects of the security plan, but too many technical personnel may make it difficult for the security administrator to understand the business objectives and strategies of the organization. Security supervisors often seek help from various materials or consulting companies during the preparation of security documents, however, the information collected from these channels can only be used as a reference for "How to do it", rather than "why ". Therefore, the development and implementation of security documents also require the security supervisor to integrate the responsible persons from various departments of the Organization, just like conducting risk analysis and information classification projects.
In addition, the operations of an organization are often subject to laws and regulations, which also need to be reflected in security policies and procedures. Laws and regulations stipulate that in the operation of an organization, who should be responsible for what should be done to meet the operational requirements of the Organization, this introduces another important concepts in cissp CBK: duty of loyalty, due care and due diligence.
Duty of loyalty is mainly moral and legal requirements, requiring organizational unit members not to take advantage of their position and advantages;
Due care requires the governance layer of the Organization to be honest, prudent, and responsible to itself and the Organization; due diligence is a number of things that must be done at the governance layer of the Organization to make the Organization comply with laws and regulations, consistency, security, or procedural requirements. ism cbk provides seven points of due diligence.
According to j0ker's understanding, due care is primarily subjective, while due diligence is objective. Cissp tests often examine the concepts of due care and due diligence, or use an example to determine whether due care, due diligence, or other concepts, during the review, pay attention to the specific content and differences of these concepts.
After talking about the significance of the security document to the security plan and related content, we will focus on these documents again. Let's take a look at the definitions of these documents:
Policy: An organization-level information security policy provides guidance on the objectives, evaluations, and responsibilities of a security project at the organizational governance layer. It also defines an organization's understanding of information security. Information security policies are short and do not come from technologies or solutions, and provide governance layer authorization for further standard (security standards) based on technologies or solutions. In addition, if the organization is large, a department-level security policy document will be formulated and deployed, which is similar to an organization-level security policy, however, further descriptions and provisions are made on the functions of the Department. There are examples of policies in the official guide. If you need them, refer to them.
Standard: security standards support security policy implementation and support documents that enable more effective security policies by specifying specific standards and implementation directions, it specifies mandatory activities, behaviors, rules and systems. It usually specifies specific technical means, products or solutions, and implements them within the Organization as a whole.
Baseline: The Security bottom line is similar to the security standards. It is also a document that supports security policy implementation through mandatory means and regulations. However, the security bottom line is different from the security standards, security standards are more focused on what needs to be achieved or achieved at a macro level, while the security bottom line is a mandatory rule based on the characteristics of different subcategories in the same type of information assets, for example, if the operating systems used by the organization client include Windows 2000, Windows XP, and Windows 2003, it is required that all client systems comply with the anti-virus software of a certain version of a vendor, which is a security standard; what security configurations are made for Windows 2000/XP/2003 is the security bottom line.
Guideline: security guidance is a non-mandatory security document with recommendations. It recommends organizations and their members to carry out recommended behaviors or activities for a higher security level, or have a better understanding of information security.
Procedure: the security process is to provide organizations and their members with feasible and specific steps and standards in the operating environment, documents that meet the requirements of security policies, security standards, and security bottom line.
The cissp Official Guide also provides simple examples for each security document and compares them. It is recommended that you have time to read them separately, and carefully compare the relationships and differences between them. J0ker makes a diagram to briefly summarize the links between these security documents, as shown in the figure below:
Security policies, standards, bottom lines, guidance, and security processes are critical elements to ensure that every Member of the Organization understands and complies with the security plan of the Organization and completes the work tasks. In the cissp examination, questions related to the definition of these documents are usually displayed. During the review, friends can pay more attention to the connections and differences between these knowledge points, review the examples in the document to remember the writing of each document.