GitHub/quartz
1
0
Fork 2
mirror of https://github.com/jackyzha0/quartz.git synced 2025-12-27 14:54:05 -06:00
Code Issues Actions Packages Projects Releases Wiki Activity
58d82b6d6a
quartz/content/notes/15-policies-standards-practices.md
Jet Hughes 3e78225275 vault backup: 2022-09-21 14:39:30
2022-09-21 14:39:30 +12:00

105 lines
3.3 KiB
Markdown
Raw Blame History

---
title: "15-policies-standards-practices"
aliases:
tags:
- comp210
- lecture
sr-due: 2022-09-24
sr-interval: 3
sr-ease: 250
---
# news
- apple securit flaw for iphones ipads and macs
- chrome patch actively exloited zero day
- github blighted by researcher who created thousands of malicious projects
- russian cyber attacks of lockheed martin
- armed forces hack into HIMARS
# Policies
Defn: a plan or course of action to influence and determine decisions
- high level rules regarding operations of organisation
- policies state the management intent and will
- governments, businesses, political parties, universities etc
provide roadmap for day-to-day operations
- organisation internal law
- also comply with actual law
- important for resolution of legal disputes
- provide accountability
- can protect org and employees
- ensure consistency
- dont often change or deteriorate when staff changes
- evidence of quality control, internal audits etc
## good policies
are properly
- disseminated
- read
- understood
- agreed-to
- uniformly enforced
and help us to answer these questions
- what info should be collected
- how should it be stored
- who is responsible for managing it
- who can access it
- what info should be published
- how long should it be kept/maintained
- when should it be discarded
## example
Revealing Information To Prospective Employee
Policy: Information systems technical details, such as network addresses, network diagrams, and security software employed, must not be revealed to job applicants until they have signed a confidentiality agreement and also have been hired or retained
# Procedures
Defn: step by step descriptions of what employees must do to achieve a certain goal (as specified by a policy)
- must be kept separate from policies
- keeping them together will create a complex document that will (likely) not be read
![policy and procedure pyramid|400](https://i.imgur.com/rdQaLkh.png)
# Standards
The ISO 27000 is a global standard to build a Information Security Management System (ISMS)
## ISO standards
![iso standards chart (2013)|400](https://i.imgur.com/BjgT9lK.png)
![ISO/IEC 27002:2022|400](https://i.imgur.com/zhCsjzZ.png)
## IS measurement model - ISO 27004
- monitoring
- measurement
- analysis
- evaluation
![IS measurement diagram|400](https://i.imgur.com/8R7vatT.png)
![IS measurement and ISMS integration diagram|400](https://i.imgur.com/HuvV6mn.png)
## Capability maturity model integration CMMI
![CMMI diagram|400](https://i.imgur.com/4SseQm7.png)
# Practices
Defn: detailed and repeateable ways of complying to a standard (and to a policy)
diff with procedures is that a proceduure contains a step by step method on how to complete a certain task
## examples
![id badges example|400](https://i.imgur.com/bkdXQOy.png)
![temp badges example|400](https://i.imgur.com/Y13IGfP.png)
![badge controlled acces example|400](https://i.imgur.com/hj9gPCb.png)
# Info sec audit
- Organisation (Is there a security policy?)
- Employee Security Focus (Training, Recruitment)
- Change Management Network Security (Router/Firewall, VPN)
- Application Security (App Dev., Data Security)
- System Security (Server Vulnerability & Hardening)
- Identity Management (Account & Password Management)
- Event Management (Incident Response)
- Asset Security (Asset Inventory, Laptop Security, Software Management)
Reference in New Issue View Git Blame Copy Permalink