Business policies are the guidelines that are developed by an organization to govern its actions. The policies define standards of correct behaviour for the business and its employees. In networking, policies define the activities that are allowed on the network.
This sets a baseline of acceptable use. If the behaviour that violates the business policy is detected on the network, it is possible that a security breach has occurred. understanding Security Policy Regulations And Standards. In this article, I want to talk about security policy regulations and standards in cyber security.
An organization may have several guiding policies, as listed in the table.
| Policy | Description |
|---|---|
| Company policies |
|
| Employee policies |
|
| Security policies |
|
Security Policy
A comprehensive security policy has a number of benefits, including the following:
- Demonstrates an organization’s commitment to security
- Sets the rules for expected behavior
- Ensures consistency in system operations, software and hardware acquisition and use, and maintenance
- Defines the legal consequences of violations
- Gives security staff the backing of management
PEOPLE ALSO READ: Probabilistic Analysis In Cyber Security: How To Determine The Likelihood Of Events
Powered by Inline Related Posts
Security policies are used to inform users, staff, and managers of an organization’s requirements for protecting technology and information assets. A security policy also specifies the mechanisms that are needed to meet security requirements and provides a baseline from which to acquire, configure, and audit computer systems and networks for compliance.
The table lists policies that may be included in a security policy.
| Policy | Description |
|---|---|
| Identification and authentication policy | Specifies authorized persons that can have access to network resources and identity verification procedures. |
| Password policies | Ensures passwords meet minimum requirements and are changed regularly. |
| Acceptable Use Policy (AUP) | Identifies network applications and uses that are acceptable to the organization. It may also identify ramifications if this policy is violated. |
| Remote access policy | Identifies how remote users can access a network and what is accessible via remote connectivity. |
| Network maintenance policy | Specifies network device operating systems and end user application update procedures. |
| Incident handling procedures | Describes how security incidents are handled. |
One of the most common security policy components is an AUP. This can also be referred to as an appropriate use policy. This component defines what users are allowed and not allowed to do on the various system components. This includes the type of traffic that is allowed on the network. The AUP should be as explicit as possible to avoid misunderstanding.
For example, an AUP might list specific websites, newsgroups, or bandwidth-intensive applications that are prohibited from being accessed by company computers or from the company network. Every employee should be required to sign an AUP, and the signed AUPs should be retained for the duration of employment.
BYOD Policies
Many organizations must now also support Bring Your Own Device (BYOD). This enables employees to use their own mobile devices to access company systems, software, networks, or information. BYOD provides several key benefits to enterprises, including increased productivity, reduced IT and operating costs, better mobility for employees, and greater appeal when it comes to hiring and retaining employees.
However, these benefits also bring an increased information security risk because BYOD can lead to data breaches and greater liability for the organization.
A BYOD security policy should be developed to accomplish the following:
A BYOD security policy should be developed to accomplish the following:
- Specify the goals of the BYOD program.
- Identify which employees can bring their own devices.
- Identify which devices will be supported.
- Identify the level of access employees are granted when using personal devices.
- Describe the rights to access and activities permitted to security personnel on the device.
- Identify which regulations must be adhered to when using employee devices.
- Identify safeguards to put in place if a device is compromised.
The table lists BYOD security best practices to help mitigate BYOD vulnerabilities.
| Best Practice | Description |
|---|---|
| Password-protected access | Use unique passwords for each device and account. |
| Manually control wireless connectivity | Turn off Wi-Fi and Bluetooth connectivity when not in use. Connect only to trusted networks. |
| Keep updated | Always keep the device OS and other software updated. Updated software often contains security patches to mitigate against the latest threats or exploits. |
| Back up data | Enable backup of the device in case it is lost or stolen. |
| Enable “Find my Device” | Subscribe to a device locator service with a remote wipe feature. |
| Provide antivirus software | Provide antivirus software for approved BYOD devices. |
| Use Mobile Device Management (MDM) software | MDM software enables IT, teams, to implement security settings and software configurations on all devices that connect to company networks. |
Regulatory and Standards Compliance
There are also external regulations regarding network security. Network security professionals must be familiar with the laws and codes of ethics that are binding on Information Systems Security (INFOSEC) professionals.
Many organizations are mandated to develop and implement security policies. Compliance regulations define what organizations are responsible for providing and the liability if they fail to comply. The compliance regulations that an organization is obligated to follow depend on the type of organization and the data that the organization handles. Specific compliance regulations will be discussed later in the course.
