Skip to content

Understanding Security Policy Regulations And Standards

Business policies are the guidelines that are developed by an organization to govern its actions. The policies define standards of correct behaviour for the business and its employees. In networking, policies define the activities that are allowed on the network.
This sets a baseline of acceptable use. If the behaviour that violates the business policy is detected on the network, it is possible that a security breach has occurred. understanding Security Policy Regulations And Standards. In this article, I want to talk about security policy regulations and standards in cyber security.

An organization may have several guiding policies, as listed in the table.
Policy Description
Company policies
  • These policies establish the rules of conduct and the responsibilities of both employees and employers.
  • Policies protect the rights of workers as well as the business interests of employers.
  • Depending on the needs of the organization, various policies and procedures establish rules regarding employee conduct, attendance, dress code, privacy and other areas related to the terms and conditions of employment.
Employee policies
  • These policies are created and maintained by human resources staff to identify employee salary, pay schedule, employee benefits, work schedule, vacations, and more.
  • They are often provided to new employees to review and sign.
Security policies
  • These policies identify a set of security objectives for a company, define the rules of behavior for users and administrators, and specify system requirements.
  • These objectives, rules, and requirements collectively ensure the security of a network and the computer systems in an organization.
  • Much like a continuity plan, a security policy is a constantly evolving document based on changes in the threat landscape, vulnerabilities, and business and employee requirements.

Security Policy

A comprehensive security policy has a number of benefits, including the following:

  • Demonstrates an organization’s commitment to security
  • Sets the rules for expected behavior
  • Ensures consistency in system operations, software and hardware acquisition and use, and maintenance
  • Defines the legal consequences of violations
  • Gives security staff the backing of management

Security policies are used to inform users, staff, and managers of an organization’s requirements for protecting technology and information assets. A security policy also specifies the mechanisms that are needed to meet security requirements and provides a baseline from which to acquire, configure, and audit computer systems and networks for compliance.

The table lists policies that may be included in a security policy.

Policy Description
Identification and authentication policy Specifies authorized persons that can have access to network resources and identity verification procedures.
Password policies Ensures passwords meet minimum requirements and are changed regularly.
Acceptable Use Policy (AUP) Identifies network applications and uses that are acceptable to the organization. It may also identify ramifications if this policy is violated.
Remote access policy Identifies how remote users can access a network and what is accessible via remote connectivity.
Network maintenance policy Specifies network device operating systems and end user application update procedures.
Incident handling procedures Describes how security incidents are handled.
One of the most common security policy components is an AUP. This can also be referred to as an appropriate use policy. This component defines what users are allowed and not allowed to do on the various system components. This includes the type of traffic that is allowed on the network. The AUP should be as explicit as possible to avoid misunderstanding.
For example, an AUP might list specific websites, newsgroups, or bandwidth-intensive applications that are prohibited from being accessed by company computers or from the company network. Every employee should be required to sign an AUP, and the signed AUPs should be retained for the duration of employment.

BYOD Policies

Many organizations must now also support Bring Your Own Device (BYOD). This enables employees to use their own mobile devices to access company systems, software, networks, or information. BYOD provides several key benefits to enterprises, including increased productivity, reduced IT and operating costs, better mobility for employees, and greater appeal when it comes to hiring and retaining employees.
However, these benefits also bring an increased information security risk because BYOD can lead to data breaches and greater liability for the organization.
A BYOD security policy should be developed to accomplish the following:
  • Specify the goals of the BYOD program.
  • Identify which employees can bring their own devices.
  • Identify which devices will be supported.
  • Identify the level of access employees are granted when using personal devices.
  • Describe the rights to access and activities permitted to security personnel on the device.
  • Identify which regulations must be adhered to when using employee devices.
  • Identify safeguards to put in place if a device is compromised.

The table lists BYOD security best practices to help mitigate BYOD vulnerabilities.

Best Practice Description
Password-protected access Use unique passwords for each device and account.
Manually control wireless connectivity Turn off Wi-Fi and Bluetooth connectivity when not in use. Connect only to trusted networks.
Keep updated Always keep the device OS and other software updated. Updated software often contains security patches to mitigate against the latest threats or exploits.
Back up data Enable backup of the device in case it is lost or stolen.
Enable “Find my Device” Subscribe to a device locator service with a remote wipe feature.
Provide antivirus software Provide antivirus software for approved BYOD devices.
Use Mobile Device Management (MDM) software MDM software enables IT, teams, to implement security settings and software configurations on all devices that connect to company networks.

Regulatory and Standards Compliance

There are also external regulations regarding network security. Network security professionals must be familiar with the laws and codes of ethics that are binding on Information Systems Security (INFOSEC) professionals.
Many organizations are mandated to develop and implement security policies. Compliance regulations define what organizations are responsible for providing and the liability if they fail to comply. The compliance regulations that an organization is obligated to follow depend on the type of organization and the data that the organization handles. Specific compliance regulations will be discussed later in the course.

Leave a Reply

Your email address will not be published. Required fields are marked *