As we enter the new year, many institutions resolve that this is the year that their Information Security Program will be streamlined and brought up to date. Doing this effectively requires a clear understanding of the difference between policy, standards, guidelines, and procedures. This week, we look at what each of these elements should look like and at how to determine the proper mix for your institution.
- Policy: A good Information Security Program needs to start with defining policy. For a financial institutions, a policy is a mandatory high-level directive that is approved by the board. The board should review and approve policies at least annually. A policy should never discuss specifics but should instead define the broad framework under which the program should operate.
An example of a policy might be the requirement that “all Internet connections be protected by a securely configured stateful firewall”. The policy in this example does not define the brand or model of firewall that is required. Requiring specific brands of firewalls would mean that the institution could not quickly react if the chosen brand were suddenly discovered to be inadequate, because the policy change would need to be approved by the board.
A policy should include a definition of purpose (“Why is the policy needed?”), scope (“What staff, systems, or locations does the policy apply to?”), responsibility (“Who is responsible for administering the policy?”), and compliance (“How is the policy tested and enforced?”). - Procedures: Procedures are the mandatory steps to be followed to implement each policy. In the earlier example of the firewall policy, there would likely be step-by-step procedures defining how to securely configure a firewall and how to ensure that the firewall continues to be secure.
Procedures do not need to be approved by the board, so they are easier to change as the environment changes. It is important that procedures be reviewed periodically to ensure that they still reflect the current environment, so be sure to include procedures to direct these regular reviews. - Standards: Standards define the specific technologies to be used by the institution. Going outside of this standard should not be allowed without management approval. Sticking with the earlier firewall example, a standard might be that the institution uses “Cisco Firepower 2100 firewalls to protect each branch Internet connection.”
Standards help an institution ensure that their environment is secure at the lowest cost by ensuring that the same technology is used across the organization. When Cisco changes their product line, this standard can be discussed and changed quickly. User naming standards and email address standards are other examples. Some institutions include their standards in their procedures to make their Information Security Program easier to manage. - Guidelines: A guideline is not mandatory. It is a recommendation. An example of a guideline might be that the person installing a firewall attach a label to the outside of the firewall so that it can be easily located in a server rack. The label does not enforce any policy and is not mandatory to ensure that the Internet connection is secure, it is simply a piece of advice.
If your resolution this year is to bring your Information Security Program up to date but it seems like a tall order, don't worry, we're here for you. Check out the details and deliverable of our various CySPOT™ Modules to just how we can help you accomplish your 2019 goals.
