--- title: "15-policies-standards-practices" aliases: tags: - comp210 - lecture sr-due: 2022-12-05 sr-interval: 44 sr-ease: 250 --- # news - apple securit flaw for iphones ipads and macs - chrome patch actively exloited zero day - github blighted by researcher who created thousands of malicious projects - russian cyber attacks of lockheed martin - armed forces hack into HIMARS # Policies Defn: a plan or course of action to influence and determine decisions - high level rules regarding operations of organisation - policies state the management intent and will - governments, businesses, political parties, universities etc provide roadmap for day-to-day operations - organisation internal law - also comply with actual law - important for resolution of legal disputes - provide accountability - can protect org and employees - ensure consistency - dont often change or deteriorate when staff changes - evidence of quality control, internal audits etc ## good policies are properly - disseminated - read - understood - agreed-to - uniformly enforced and help us to answer these questions - what info should be collected - how should it be stored - who is responsible for managing it - who can access it - what info should be published - how long should it be kept/maintained - when should it be discarded ## example Revealing Information To Prospective Employee Policy: Information systems technical details, such as network addresses, network diagrams, and security software employed, must not be revealed to job applicants until they have signed a confidentiality agreement and also have been hired or retained # Procedures Defn: step by step descriptions of what employees must do to achieve a certain goal (as specified by a policy) - must be kept separate from policies - keeping them together will create a complex document that will (likely) not be read ![policy and procedure pyramid|400](https://i.imgur.com/rdQaLkh.png) # Standards The ISO 27000 is a global standard to build a Information Security Management System (ISMS) ## ISO standards ![iso standards chart (2013)|400](https://i.imgur.com/BjgT9lK.png) ![ISO/IEC 27002:2022|400](https://i.imgur.com/zhCsjzZ.png) ## IS measurement model - ISO 27004 - monitoring - measurement - analysis - evaluation ![IS measurement diagram|400](https://i.imgur.com/8R7vatT.png) ![IS measurement and ISMS integration diagram|400](https://i.imgur.com/HuvV6mn.png) ## Capability maturity model integration CMMI ![CMMI diagram|400](https://i.imgur.com/4SseQm7.png) # Practices Defn: detailed and repeateable ways of complying to a standard (and to a policy) diff with procedures is that a proceduure contains a step by step method on how to complete a certain task ## examples ![id badges example|400](https://i.imgur.com/bkdXQOy.png) ![temp badges example|400](https://i.imgur.com/Y13IGfP.png) ![badge controlled acces example|400](https://i.imgur.com/hj9gPCb.png) # Info sec audit - Organisation (Is there a security policy?) - Employee Security Focus (Training, Recruitment) - Change Management Network Security (Router/Firewall, VPN) - Application Security (App Dev., Data Security) - System Security (Server Vulnerability & Hardening) - Identity Management (Account & Password Management) - Event Management (Incident Response) - Asset Security (Asset Inventory, Laptop Security, Software Management)