Understanding Security Policy Regulations And Standards

Business policies are the guidelines that are developed by an organization to govern its actions. The policies define standards of correct behaviour for the business and its employees. In networking, policies define the activities that are allowed on the network.

This sets a baseline of acceptable use. If the behaviour that violates the business policy is detected on the network, it is possible that a security breach has occurred. understanding Security Policy Regulations And Standards. In this article, I want to talk about security policy regulations and standards in cyber security.

An organization may have several guiding policies, as listed in the table.

Policy	Description
Company policies	These policies establish the rules of conduct and the responsibilities of both employees and employers. Policies protect the rights of workers as well as the business interests of employers. Depending on the needs of the organization, various policies and procedures establish rules regarding employee conduct, attendance, dress code, privacy and other areas related to the terms and conditions of employment.
Employee policies	These policies are created and maintained by human resources staff to identify employee salary, pay schedule, employee benefits, work schedule, vacations, and more. They are often provided to new employees to review and sign.
Security policies	These policies identify a set of security objectives for a company, define the rules of behavior for users and administrators, and specify system requirements. These objectives, rules, and requirements collectively ensure the security of a network and the computer systems in an organization. Much like a continuity plan, a security policy is a constantly evolving document based on changes in the threat landscape, vulnerabilities, and business and employee requirements.

Security Policy

A comprehensive security policy has a number of benefits, including the following:

Demonstrates an organization’s commitment to security
Sets the rules for expected behavior
Ensures consistency in system operations, software and hardware acquisition and use, and maintenance
Defines the legal consequences of violations
Gives security staff the backing of management

Security policies are used to inform users, staff, and managers of an organization’s requirements for protecting technology and information assets. A security policy also specifies the mechanisms that are needed to meet security requirements and provides a baseline from which to acquire, configure, and audit computer systems and networks for compliance.

The table lists policies that may be included in a security policy.

Policy	Description
Identification and authentication policy	Specifies authorized persons that can have access to network resources and identity verification procedures.
Password policies	Ensures passwords meet minimum requirements and are changed regularly.
Acceptable Use Policy (AUP)	Identifies network applications and uses that are acceptable to the organization. It may also identify ramifications if this policy is violated.
Remote access policy	Identifies how remote users can access a network and what is accessible via remote connectivity.
Network maintenance policy	Specifies network device operating systems and end user application update procedures.
Incident handling procedures	Describes how security incidents are handled.

One of the most common security policy components is an AUP. This can also be referred to as an appropriate use policy. This component defines what users are allowed and not allowed to do on the various system components. This includes the type of traffic that is allowed on the network. The AUP should be as explicit as possible to avoid misunderstanding.

For example, an AUP might list specific websites, newsgroups, or bandwidth-intensive applications that are prohibited from being accessed by company computers or from the company network. Every employee should be required to sign an AUP, and the signed AUPs should be retained for the duration of employment.

BYOD Policies

Many organizations must now also support Bring Your Own Device (BYOD). This enables employees to use their own mobile devices to access company systems, software, networks, or information. BYOD provides several key benefits to enterprises, including increased productivity, reduced IT and operating costs, better mobility for employees, and greater appeal when it comes to hiring and retaining employees.

However, these benefits also bring an increased information security risk because BYOD can lead to data breaches and greater liability for the organization.
A BYOD security policy should be developed to accomplish the following:

Specify the goals of the BYOD program.
Identify which employees can bring their own devices.
Identify which devices will be supported.
Identify the level of access employees are granted when using personal devices.
Describe the rights to access and activities permitted to security personnel on the device.
Identify which regulations must be adhered to when using employee devices.
Identify safeguards to put in place if a device is compromised.

The table lists BYOD security best practices to help mitigate BYOD vulnerabilities.

Best Practice	Description
Password-protected access	Use unique passwords for each device and account.
Manually control wireless connectivity	Turn off Wi-Fi and Bluetooth connectivity when not in use. Connect only to trusted networks.
Keep updated	Always keep the device OS and other software updated. Updated software often contains security patches to mitigate against the latest threats or exploits.
Back up data	Enable backup of the device in case it is lost or stolen.
Enable “Find my Device”	Subscribe to a device locator service with a remote wipe feature.
Provide antivirus software	Provide antivirus software for approved BYOD devices.
Use Mobile Device Management (MDM) software	MDM software enables IT, teams, to implement security settings and software configurations on all devices that connect to company networks.

Regulatory and Standards Compliance

There are also external regulations regarding network security. Network security professionals must be familiar with the laws and codes of ethics that are binding on Information Systems Security (INFOSEC) professionals.

Many organizations are mandated to develop and implement security policies. Compliance regulations define what organizations are responsible for providing and the liability if they fail to comply. The compliance regulations that an organization is obligated to follow depend on the type of organization and the data that the organization handles. Specific compliance regulations will be discussed later in the course.

Action Point
PS: If you would like to have an online course on any of the courses that you found on this blog, I will be glad to do that on an individual and corporate level, I will be very glad to do that I have trained several individuals and groups and they are doing well in their various fields of endeavour. Some of those that I have trained includes staffs of Dangote Refinery, FCMB, Zenith Bank, New Horizons Nigeria among others. Please come on Whatsapp and let’s talk about your training. You can reach me on Whatsapp HERE. Please note that I will be using Microsoft Team to facilitate the training.

I know you might agree with some of the points that I have raised in this article. You might not agree with some of the issues raised. Let me know your views about the topic discussed. We will appreciate it if you can drop your comment. Thanks in anticipation.

Fact Check Policy

CRMNAIJA is committed to fact-checking in a fair, transparent and non-partisan manner. Therefore, if you’ve found an error in any of our reports, be it factual, editorial, or an outdated post, please contact us to tell us about it.

Fact Check Policy