WEBVTT

00:00:00.930 --> 00:00:05.480
So far we've discussed things like governance and the elements of security,

00:00:05.830 --> 00:00:06.670
but in the end,

00:00:06.670 --> 00:00:11.870
security is a theoretical activity until we back it up with

00:00:11.870 --> 00:00:14.970
practical implementation of concepts.

00:00:15.410 --> 00:00:21.880
This is why we need policy, procedures, standards, baselines, and guidelines.

00:00:23.040 --> 00:00:27.920
The idea of a policy hierarchy is that at the top you actually have laws and

00:00:27.920 --> 00:00:32.500
the actual strategy of the organization as we saw earlier,

00:00:32.500 --> 00:00:36.120
but these are what feed into the development of the

00:00:36.120 --> 00:00:38.060
policies of the organization.

00:00:38.550 --> 00:00:41.820
We could also say that a lot of the policies of the

00:00:41.820 --> 00:00:45.080
organization are influenced by risk,

00:00:45.350 --> 00:00:49.500
what risk does our business face so that we develop

00:00:49.500 --> 00:00:52.940
policies to respond to those risks as well?

00:00:53.790 --> 00:00:58.660
But policies themselves are high‑level statements of what we'd like to do,

00:00:59.230 --> 00:00:59.990
so therefore,

00:00:59.990 --> 00:01:05.510
we need to take those ideas or concepts of policy and turn them into

00:01:05.510 --> 00:01:09.170
practical steps through things like procedures,

00:01:09.180 --> 00:01:12.400
standards, baselines, and guidelines.

00:01:13.090 --> 00:01:18.880
We also see in this slide we have then functional policies, whereas policies

00:01:18.880 --> 00:01:22.510
themselves should be non‑technical in a more of a high level.

00:01:22.820 --> 00:01:27.460
We often need policies specifically dealing with a certain technology

00:01:27.650 --> 00:01:33.390
such as a policy about acceptable use of the internet or a policy about

00:01:33.750 --> 00:01:37.950
some type of remote access or wireless use.

00:01:38.350 --> 00:01:42.870
Those are functional policies just about that one topic so

00:01:42.870 --> 00:01:46.550
we don't have to change and update the overall policy

00:01:46.590 --> 00:01:48.820
every time technology changes.

00:01:49.850 --> 00:01:54.440
Policies themselves tell us what we can and what we cannot do

00:01:54.550 --> 00:01:57.990
and that way they provide direction for us.

00:01:58.000 --> 00:02:03.320
We know what's acceptable, what management states is allowed,

00:02:03.330 --> 00:02:06.370
but in some cases is not allowed as well.

00:02:07.110 --> 00:02:12.340
A policy is issued by and signed by management to say that

00:02:12.350 --> 00:02:16.760
this is what we agree to that you should do,

00:02:16.890 --> 00:02:20.130
and therefore, it has authority by that.

00:02:20.630 --> 00:02:23.660
A good example is an acceptable use policy.

00:02:24.060 --> 00:02:27.070
If you have internet access, what is acceptable?

00:02:27.220 --> 00:02:33.140
Some companies say only business, other companies say well any reasonable use,

00:02:33.460 --> 00:02:36.270
so it depends a little bit on the culture of the

00:02:36.270 --> 00:02:40.230
organization of what types of policies they create.

00:02:42.020 --> 00:02:46.240
When we look at procedures, we know the problem with policy is that it's theory.

00:02:46.790 --> 00:02:49.920
This is what's acceptable use of the internet, but

00:02:49.920 --> 00:02:52.710
then how do we actually enforce that?

00:02:52.840 --> 00:02:55.470
For this, we need procedures.

00:02:55.880 --> 00:02:59.790
A procedure mandates that how something should be done.

00:03:00.140 --> 00:03:04.360
If a person violates a policy, what do we do, for example.

00:03:04.910 --> 00:03:08.510
Take the example of a new user starts with the organization.

00:03:08.810 --> 00:03:12.380
We should have a clear procedure on how to set up that new

00:03:12.380 --> 00:03:17.130
users account so that all users accounts are set up properly

00:03:17.400 --> 00:03:20.300
and according with good practice, for example,

00:03:20.730 --> 00:03:26.510
and these very often are by their very nature step‑by‑step actions,

00:03:26.670 --> 00:03:29.650
do this, then do this, then do this.

00:03:29.850 --> 00:03:30.780
Something we'll look at,

00:03:30.780 --> 00:03:34.220
especially in domain two when we look at incident response.

00:03:34.250 --> 00:03:38.460
Here are the steps we take when there is an incident, for example.

00:03:39.600 --> 00:03:45.280
The overall objective of a procedure is to be the legs or

00:03:45.280 --> 00:03:48.780
the support for the policies intent.

00:03:48.790 --> 00:03:51.390
What was the policy trying to do?

00:03:51.600 --> 00:03:57.190
And procedures help interpret what that policy's intent is.

00:03:58.500 --> 00:04:00.070
We also have standards.

00:04:00.130 --> 00:04:03.950
Standards are good things, so things are done in the same way.

00:04:03.950 --> 00:04:05.020
For example,

00:04:05.110 --> 00:04:09.930
we could have a standard that says here is our required

00:04:09.930 --> 00:04:13.260
solution for anything from equipment,

00:04:13.260 --> 00:04:18.140
you're going to buy a laptop or a desktop or you're going to buy software,

00:04:18.140 --> 00:04:19.209
for example,

00:04:19.320 --> 00:04:25.230
so that we're all using that same type of configuration and it

00:04:25.230 --> 00:04:27.530
makes it much easier for us to support it,

00:04:27.540 --> 00:04:28.490
for example.

00:04:28.490 --> 00:04:32.230
A standard is often based on good practice,

00:04:32.390 --> 00:04:34.900
the things we've learned that work, and that,

00:04:34.900 --> 00:04:38.590
of course, could even be things like an international standard.

00:04:39.050 --> 00:04:44.140
We have what's known as the ISO/IEC 27001.

00:04:44.740 --> 00:04:49.680
That defines something known as the Information Security Management System.

00:04:50.190 --> 00:04:54.510
It defines what a good security practice should be, and many

00:04:54.510 --> 00:04:58.750
organizations have adopted that standard as the template to

00:04:58.750 --> 00:05:01.110
use for their security program,

00:05:01.320 --> 00:05:05.640
and they'll even seek to be recognized as compliant with

00:05:05.640 --> 00:05:07.720
the requirements of that standard.

00:05:09.590 --> 00:05:11.590
When we look at baselines,

00:05:11.910 --> 00:05:16.320
we're saying here is the minimum acceptable level of action.

00:05:16.860 --> 00:05:22.360
For example, you may not have to have a high level of security in the system,

00:05:22.380 --> 00:05:25.840
but you at least have to meet this minimum acceptable standard.

00:05:26.030 --> 00:05:27.190
And in that way,

00:05:27.190 --> 00:05:32.910
a baseline helps to ensure that nothing can connect to our system,

00:05:33.060 --> 00:05:36.430
which is not at least at that acceptable level.

00:05:37.160 --> 00:05:41.480
We often use this when we're looking at things like equipment configuration.

00:05:42.010 --> 00:05:45.770
Any device connected to our network must have,

00:05:45.770 --> 00:05:47.870
for example, antivirus on it,

00:05:48.030 --> 00:05:51.680
must have up to date patches for the operating system.

00:05:51.950 --> 00:05:53.320
Those are baselines.

00:05:54.170 --> 00:05:58.510
We also have seen baselines with something like a minimum password length.

00:05:58.980 --> 00:06:02.810
Your password must be at least eight digits long.

00:06:02.940 --> 00:06:05.640
It could be more, you could exceed the baseline,

00:06:05.740 --> 00:06:10.350
but no one could have a password that's not at least eight characters long.

00:06:11.900 --> 00:06:13.810
We also have guidelines.

00:06:14.040 --> 00:06:18.270
Guidelines are suggestions, they're recommendations,

00:06:18.270 --> 00:06:23.750
they're not mandated like a policy, procedure, standard, or baseline is.

00:06:24.220 --> 00:06:27.760
You must follow those procedures and baselines,

00:06:28.130 --> 00:06:31.300
but you don't necessarily have to follow a guideline,

00:06:31.310 --> 00:06:32.410
it's a suggestion.

00:06:32.880 --> 00:06:33.860
For example,

00:06:33.870 --> 00:06:37.860
we said before that there was a baseline your password

00:06:37.860 --> 00:06:39.690
had to be eight characters long,

00:06:40.270 --> 00:06:44.010
but a guideline could say here is some suggestions

00:06:44.010 --> 00:06:45.920
on how to choose a good password,

00:06:46.480 --> 00:06:52.680
some things you can do to make your password of an acceptable level of strength.

00:06:52.850 --> 00:06:55.320
You don't have to follow it necessarily,

00:06:55.390 --> 00:07:00.480
but at least it's good information and a recommendation that could be followed.

00:07:01.960 --> 00:07:03.420
The key points review.

00:07:04.090 --> 00:07:06.300
We've looked at some important things here.

00:07:06.700 --> 00:07:11.790
The use of policies and procedures because a policy is theory,

00:07:12.020 --> 00:07:17.440
it's management's intent, but it doesn't necessarily say how to do something.

00:07:17.700 --> 00:07:18.950
So therefore,

00:07:19.100 --> 00:07:23.070
the policy is of little value if it's not supported by

00:07:23.070 --> 00:07:26.180
something like a procedure which says here are the

00:07:26.180 --> 00:07:29.220
instructions of what to do and how to do it.

00:07:29.960 --> 00:07:35.270
We can say here the main goal or main purpose of a policy is to

00:07:35.270 --> 00:07:40.230
demonstrate that management is committed to certain behaviors as

00:07:40.230 --> 00:07:42.940
part of their information security program.