Pass ISC CISSP Exam in First Attempt Easily

Course Intro. and INFORMATION SECURITY GOALS

1. Lecture 1 - Information Security Goals

Information security professionals are tasked with protecting an organization's most valuable assets. When we discuss the goals of information security, you will often hear what is referred to as the CIA Triad. The CIA Triad is simply short for confidentiality, integrity, and availability. Confidentiality ensures that the necessary level of secrecy is enforced at each junction of the data process and prevents unauthorised disclosure. This is the area where information security professionals spend most of their time, and confidentiality is what most people think of when they think about information security, which is keeping secrets away from prying eyes.

The second leg of the CIA Triad is integrity. Integrity is upheld when the accuracy and reliability of information and systems are assured and any unauthorised modification is prevented. Simply put, this means that there weren't any unauthorised changes to information. The final goal of information security is availability. Availability protection ensures reliability and timely access to data and resources for authorised individuals. Business availability and continuity may have a profound impact on business. One particular example of availability being undermined is a denial of service attack. In this type of attack, a malicious individual can try to either overwhelm the system or cause it to crash, therefore denying legitimate users the access they need. Let's take a closer look at confidentiality. As we proceed through the lectures, you will learn about the many different controls available to information security professionals.

You can think of these controls as tools available for information security professionals to reach direct access controls. Encryption and steganography are two other common controls utilised by information security professionals to enhance confidentiality. Access controls restrict people from seeing data that they should not have access to. Access controls protect confidentiality by ensuring that only those users who have permission to access files are in fact gaining access. For instance, let's assume an organisation hires a marketing intern. Security professionals would want to ensure that the marketing intern only has access to information relating to his or her job. The marketing intern, for example, should not have access to personnel files in the HR department directory. Another type of control is encryption. Encryption transforms plain text into unreadable ciphertext through the use of mathematical algorithms.

Another type of control mechanism is steganography. Steganography is a technique that hides information inside of other files, but in a manner that actually manipulates the contents of that file. The integrity of information must also be protected by information security professionals. As discussed earlier, this is the second leg of the CIA Triad. Integrity controls ensure that information is not altered without authorization. Tampering, whether accidental or intentional, can compromise integrity and be caused by a variety of issues. One possible source of integrity failure may come in the form of intentional tampering. For instance, a student may gain unauthorised access to an administrator's grade book and make unauthorised changes to his or her grades. Integrity failures may also come in the form of errors. These could be user errors, such as an employee accidentally keying in incorrect information, or come in the form of a software or hardware error, for example, a software application generating erroneous data. Finally, acts of nature may be a possible source of integrity failures. For instance, a flood may damage information stored on a hard drive, and the recovery process may yield information that is inaccurate.

2. Lecture 2 – Hashing

A core mechanism utilised to protect integrity is the concept of hashing. A sample hash function looks like the one seen here. But what is hashing? Hash functions create message digests and larger files. Hashing is the process of converting a string of characters into a fixed-length value or key that represents the original string. It's used to index and retrieve items in a database. Because it's faster to find items using the shorter hash key than to find them using the original value. The values returned by hash functions are called hash values, hash codes, digests, or simply hashes. As mentioned, hashing is one of the core controls used to protect integrity.

It does this by utilising a mathematical algorithm. The unique digest that has been yielded from the algorithm serves as a fingerprint for the file. Any alteration to that file changes the digest. In other words, if the short piece of data has changed, we know that the fingerprint of the file has changed, which means that there has been an alteration to that file. Let's take a closer look. I encourage you to practise along with me. If you go to the site listed here, www.dotmiraclesalad.com, slash webtools slash MD-five dot PHP, you will have access to the MD-five hash generator. I have gone ahead and opened up this link in my browser, and as you can see here, we have an inputbox where we can enter any string we want. We can simply copy and paste information here, or we can type in whatever we want. For our example, I'm going to type in a random sentence:

I like to drink coffee. As you can see, the MD5 hash generator is providing us with a hash that begins with the character C4 and ends with F three F.But what happens if I change the word "coffee" to "water"?As you can see, the whole hash changes now. Our hash begins with 90 and ends with two FB.By looking at the hash, we know that this file has been altered. But what happens if we go ahead and change "water, the word for water, back to "coffee?" As you can see, we are right back to where we started. CC 4 and F 3 are the beginning and ending of our hash that's been generated. This is a very important concept because it indicates that any alteration or tampering of the file would be reflected in the change in hash.

3. Lecture 3 - Digital Signatures and Digital Certificates

In our previous lecture, we discussed hashing. We looked at a real-world example of how an MD5 generator produces a hash digest. Hashes serve as the rudimentary building blocks for many different integrity controls. One particular integrity control that utilises hashing as a building block is a digital signature. Digital signatures are one of the most advanced and secure types of electronic signatures. You can use them to comply with the most demanding legal and regulatory requirements because they provide the highest level of assurance about each signer's identity and the authenticity of the documents they sign. Digital signatures use a certificate-based digital ID used by an accredited certificate authority or trust service provider. So when you digitally sign a document, your identity is uniquely linked to it.

The signature is bound to the document with encryption, and everything can be verified using underlying technology known as public key infrastructure, or PKI. One way that digital signatures serve as an integrity control mechanism is that they help us achieve the goal of non repudiation.The ability to prevent the denial of an electronic message or transaction is known as nonrepudiation and network security. The aim of non-repudiation is to ensure that an individual or organisation is unable to deny at a later date that they were the originator of that message or transfer.

So how is a digital signature created to begin? The person signing the document uses a hash function to create a digest of that document. The hash generated is encrypted usinghis or her private encryption key. The recipient of a digitally signed message can then use the sender's public key to decrypt the signature and then compute the hash value of the message themselves and compare the values from steps one and two. If they match, the message is authentic. Let's discuss digital certificates. Digital signatures can be used to create digital certificates. A digital certificate is like an electronic passport for exchanging secure information over the Internet using the public key infrastructure, otherwise known as PKI. They are used to transmit public keys securely.

4. Lecture 4 - Availability

The final leg of the CIA Triad is availability. Network devices, computers, and applications should provide adequate functionality to perform in a predictable manner with an acceptable level of performance. They should be able to recover from disruptions in a secure and quick fashion, so productivity is not negatively affected. Necessary protection mechanisms must be in place to protect against inside and outside threats that could affect the availability and productivity of all business processing components. In other words, security controls must be applied to protect the availability of information and systems to authorised users when needed.

There are a wide array of possible failure causes that can disrupt availability and consequently impact business operations. As a security professional, you will be tasked with identifying and addressing these possible vulnerabilities. One possible source of failure would be an attacker. Malicious individuals can overwhelm the system and create what is known as a denial-of-service attack, whereby the system or network is not available to legitimate users. Another possible cause of failure would be hardware components. For example, a power supply unit may fail to combat this. As a security professional, you may want to incorporate a secondary power source. Software and application failures are another possible cause of failure. Error codes may be generated and disrupt availability on the network. Finally, utility failures such as power outages can disrupt the system or network through the unavailability of Internet access.

Now that we've identified possible failure causes that may impact availability, let's focus our attention on some availability controls that are readily available. Utilizing redundant components such as secondary sources of power, as mentioned earlier, would be one availability control. Another example is the use of high-availability systems that have multiple servers dedicated to the same purpose so that if one server fails, the others may continue carrying the operational load. A third availability control would be fault tolerance. With fault tolerance, services may continue so long as the anomalies are within a predetermined reasonable tolerance level. The final source of availability control would be operating system and application patching. If security professionals keep applications patched, the likelihood of network disruption and availability is significantly reduced if any predetermined flaws by the manufacturer are addressed in advance.

Hide

Security Governance

1. Lecture 1 - Security Governance

Congratulations on making it to Unit Two! In unit two, we will discuss security governance. The goals of this unit will be to understand key dynamics of aligning security with business objectives, identify consideration items for business cases, and identify security roles and responsibilities. And by the time you are done with this unit, you must have the ability to list the three discussed control frameworks. The goal and mission of every organisation are different. And while security is of paramount importance to any organization, security professionals must bear in mind that there are many interests at stake. In other words, the existence of an organisation or business does not revolve solely around the purpose of security. As a security professional, you must err on the side of caution with this balancing act. Just as a business' sole purpose is not security, a business with insufficient security may be unsustainable. Your goal as a security professional is to align security with business goals.

You are not just a security leader, but you are also a business leader. Decisions you make directly impact the security of an organisation and its business as a whole. You must therefore understand both the short-term and long-term goals of the organisation and incorporate security features in a manner that helps the business. This is much more challenging than it may seem, because security controls can often be a barrier to the efficient operation of a business. For example, there are additional costs associated with security. There are policies, protocols, and procedures that may be added, and each of these extra steps may be a barrier. On the SYSP exam, you may be presented with scenarios where you must make decisions that impact the business and the security of an organization.

When considering the competing views, it is significantly important to take a balanced approach so that neither business needs nor security needs are compromised. As mentioned earlier, implementing security controls presents challenges. One way to mitigate these challenges is to present a business case for implementing security controls. When making these types of business case proposals, there are a few considerations to always keep top of mind. First, does the security control justify the investment of time and money for the new control? For example, can you justify implementing a security control that will take a full year to implement, cost $50 million, and be only 80% effective or accurate? Probably not. You also want to keep in mind the balanced approach we stated earlier about being both a security leader and a business leader. Are we significantly compromising security for business and/or vice versa? Finally, when proposing a business case, we want to consider whether the business case has been influenced. achieving the goals of the CIA triad.

2. Lecture 2 - Organizational Processes

In our previous lecture, we stressed the importance of taking a balanced approach between competing business needs and security objectives. There must be a seamless alignment between security and the specific business processes within an organization. Some of the specific business processes that have a direct security impact are security governance, integration, acquisitions, and corporate divestitures. Let's discuss these in a little more detail. Governance processes take place at various levels. This may include an information governance committee and a risk management committee, and for publicly traded companies and nonprofit organizations, it may include an independent board of directors and board of trustees. Irregardless of the governance structure of the organization, security leaders must determine the best ways to integrate information security into governance processes. Integration of security governance is also paramount. Security professionals must ensure government agencies understand risks and controls.

They must also inform governing bodies of security incidents and provide audit reports to governing bodies. Following these processes further ensures the integration of security governance in a seamless manner. The key to remember here is that there is no universal security governance model that fits all organizations. As a security professional, you will be tasked with finding the security governance model that best suits your organization's culture. An acquisition is a corporate action in which a company buys most, if not all, of the target company's ownership stakes to assume control of it. An acquisition occurs when a buying company obtains more than 50% ownership in a target company. When this happens, security professionals from both companies should collaborate to identify security controls already in place, the removal of any redundancies, the compatibility of systems, and the identification of any vulnerabilities with the new acquisition.

This does present some challenges at times. For example, if the company being bought out has employees who are concerned about their employment status with the company after the acquisition, collaboration may be hesitant. Another business process that may have a security impact would be a corporate divestiture. A corporate divestiture is a strategy to remove some of the group's assets from its current business portfolio. Depending on the purpose of restructuring, divestitures can take several forms, such as a sell-off, spin-offs, or equity carve out.

There are multiple factors that must be considered in a corporate divestiture for the divested company and the corresponding individuals that are retained as part of the divested company. Security professionals must ensure that the new organisation has adequate controls in place. Security professionals being retained as part of the parent company will subsequently need to ensure they are not lingering so as to provide unintentional access for those individuals that are no longer with the parent company.

3. Lecture 3 - Security Roles and Responsibilities

Security professionals are required to take responsibility for protecting networks, infrastructure, and computer systems. For security professionals, these roles may include system administrators, network security officers, information security engineers, application security engineers, network managers, network engineers, chief information systems officer, chief technology officer, chief security officer, and computer operators. These are just a few of the primary roles for IT security professionals. For the Sys Exam, you will want to familiarise yourself with the acronym CISO. Cisso is short for Chief Information Security Officer, and this is the most senior information security leader in an organization. The CISO normally leads a team of information security professionals. CISOs may also report through an organisation or to a risk management leader.

The CISO, security leaders and othersecurity team members must follow importantguiding principles for their role. Due care is one of these guiding principles, which states that security professionals must fulfil their legal responsibilities to the organisation as well as the professional standards of information security. It is the degree of care that an ordinary and reasonable person would normally exercise over his or her own property or under circumstances like those at issue. The concept of "due care" is usually a test of liability for negligence, also called ordinary care or reasonable care. The second guiding principle is due diligence. Due diligence examines whether reasonable steps were taken by a person in order to satisfy a legal requirement.

In order to truly demonstrate due diligence when it comes to information security, businesses must focus on narrowing the scope of their own information security in addition to being mindful of global laws and regulations that may have an impact on their operations. Businesses can reduce their potential risk throughout their information security systems by exercising due diligence. In addition, businesses could then potentially realise savings and, because they are taking greater care with their information security processes, potentially realise further profits.

4. Lecture 4 - Control Frameworks

The design, implementation, and management of various controls to protect confidentiality, integrity, and availability are overseen by security professionals. This is a huge responsibility and provides a significant challenge. It's challenging because building a comprehensive security programme needs to be sound. It's time consuming, it requires expertise in the field of information security, and it must provide adequate security coverage to protect the organization. The good news is that security professionals can reference control frameworks that have already been designed and have stood the test of time. While these types of frameworks must still be tailored to each organization's specific needs, they do provide a good starting point for security professionals. While there are many different control frameworks that cover information security, we will look at the most common ones.

The Control Objectives for Information Technology, or COBIT, is a security control framework developed by the Information Systems Audit and Control Association. COBIT provides an implementable set of controls in information technology and organises them around a logical framework of IT-related processes and enablers. I have gone ahead and downloaded the PDF version of COBIT. COBIT is available free of charge online. Simply go to Google.com and type in "Colbert PDF" and this document will appear. While you do not need to know the details of Culpit end to end, it is important that, for the CISP exam, you familiarise yourself with the five different principles.

These principles can be found on page eleven. The COBIT five principles include the following: meeting stakeholder needs, covering the enterprise end-to-end, applying a single integrated framework, enabling a holistic approach, and separating governance from management. Again, while you do not need to know Cobra end to end, knowing these five principles should be helpful for the SysP exam. ISO 27001 is a control framework for information security published by the International Organization for Standardization. ISO 27001 is a specification for an information security management system and a framework of policies and procedures that include all legal, physical, and technical controls involved in an organization's information risk management process.

Government agencies and contractors have their own standards. The National Institute for Standards and Technology, otherwise known as NIST, publishes a document called the Security and Privacy Controls for Federal Information Systems Organization. Commonly referred to as NIST 853, it provides a catalogue of security controls for all US federal information systems except those related to national security. Again, I've downloaded the NIST 853 publication and, as you can see, it offers a comprehensive set of contents that outlines details about building a security programme for government agencies and other organizations. A quick overview highlights the fundamentals of information security. It talks about multitiered risk management.

It also discusses security control structures, baselines and designations, the use of external service providers, and how to assess assurance and trustworthiness for information systems. It also discusses the process of implementing security and privacy controls. As previously stated, all of the control frameworks discussed here are excellent places to start when implementing them in your organization. It should be tailored to meet the specific requirements of your enterprise.

Hide

Compliance and Ethics

1. Lecture 1 - Compliance and Ethics

Welcome to Unit Three. compliance and ethics. We will have several goals for this unit. By the time we are done with this unit, you should be able to identify the four types of compliance obligations, identify common industry-specific laws, and identify the three common export controls. As an information security professional, it is absolutely imperative that you become familiar with both legal and regulatory requirements. Local and federal government laws are constantly evolving to take into account the impact of information security. There are four main types of compliance obligations that you will need to be familiar with: criminal law, civil law, administrative law, and private regulations. Criminal law is the body of law that relates to crime and that prescribes conduct perceived as threatening, harmful, or otherwise endangering the property, health, safety, and welfare of people. Most criminal laws are established by statute, which is to say that the laws are enacted by a legislature that includes the punishment of people who violate these laws.

Civil law is a body of rules that defines and protects the private rights of citizens, offers legal remedies that may be sought in a dispute, and covers areas of law such as contracts, torts, property, and family law. Civil law is derived from the laws of ancient Rome, which used doctrines to develop a code that determined how legal issues would be decided. Civil law and criminal law serve different purposes. in the United States legal system. The purpose of civil law is to resolve disputes and provide compensation for someone injured by someone else's act or behavior. The primary purpose of criminal law is to prevent undesirable behaviour and punish those who commit acts deemed undesirable by society. In civil law, it is the injured person who brings a lawsuit. By contrast, in criminal law, it is the government that files charges.

Administrative law allows for the effective operation of government by allowing executive branch agencies to promulgate regulations that facilitate carrying out their duties. Private regulations also govern many activities of individuals and organizations. While private regulations don't have a standalone force of law, compliance is often required by means of contractual obligations. The Fourth Amendment of the United States Constitution provides the right of the people to be secure in their persons, houses, papers, and effects against unreasonable searches and seizures, and it shall not be violated and no warrants shall be issued but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched and the persons or things to be seized. The ultimate goal of this provision is to protect people's rights to privacy and freedom from unreasonable intrusions by the government. The Federal Information Security Management Act FISMA is a law that governs information security matters for federal agencies and government contractors. FISMA requires the creation of security programmes throughout the federal government and provides details on the controls necessary to run information systems that are categorised in a FISA high, FISMA moderate, or FISMA low-tiered system.

2. Lecture 2 - Industry Specific Laws

Information security professionals should be concerned with laws that protect the privacy of individuals against identity theft and unwanted disclosure of personal information in the United States. In the industry, specific laws are designed to address information security issues specific to the nature of the business. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is the United States legislation that provides data privacy and security provisions for safeguarding medical information. The law has gained prominence in recent years as a result of the increasing number of health data breaches caused by cyberattacks and ransomware attacks on health insurers and providers.

The act was signed into law by President Bill Clinton on August 20, 1996, and contains five sections. The Family Educational Rights and Privacy Act is a federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable programme of the United States Department of Education. These rights transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level. FERPA also restricts the manner in which educational institutions utilise and release educational records. The financial services sector is covered by the Gram Leech Blyley Act. The GLBA, also known as the Financial Modernization Act of 1999, is a federal law enacted in the United States to control the ways that financial institutions deal with the private information of individuals.

The Act consists of three sections the Financial Privacy Rule, which regulates the collection and disclosure of private financial information, the Safeguards Rule, which stipulates that financial institutions must implement security programmes to protect such information, and the Pretexting Provisions, which prohibit the practise of pretexting. The act also requires financial institutions to give customers a written privacy notice that explains their information sharing practices. The Children's Online Privacy Protection Act (COPA) gives parents control over what information websites can collect from their kids. Kappa also requires that parents give consent for the collection of information from children under the age of 18 before that collection takes place.

The Privacy Act of 1974 is a United States federal law that established the Code of Fair Information Practice that governs the collection, maintenance, use, and dissemination of personally identifiable information about individuals that is maintained in systems of records by federal agencies. A system of records is a group of records under the control of an agency, from which information is received by the name of the individual or by some identifier assigned to the individual. The Privacy Act requires that agencies give the public notice of their systems of records by publication in the Federal Register. The Privacy Act prohibits the disclosure of information from a system of records absent the written consent of the subject individual unless the disclosure is pursuant to one of twelve statutory exceptions. The act also provides individuals with the means by which to seek access to an amendment of their records and sets forth various agency record-keeping requirements.

3. Lecture 3 - Compure Crimes

Thus far, we have discussed a number of laws that are industry specific.We have discussed civil and administrative laws. Cases of information theft, system intrusion, identity theft, theft, and other crimes fall under the umbrella of criminal law. Let's look at a few of the common laws that directly relate to computer crimes. The Computer Fraud and Abuse Act, also known as the CFAA, is a federal anti-hacking statute that prohibits unauthorized access to computers and networks. Enacted in 1986 as an amendment to the Counterfeit Access Device and Abuse Act, the CFAA makes it illegal to do a whole bunch of stuff related to computers and computer networks, from stealing government documents and committing fraud to sending out spam emails. It also prohibits the creation of malicious code. The Electronic Communications Privacy Act and the stored wire The Electronic Communications Privacy Act is commonly referred to as the electronic communications privacy act.

The ECPA updated the Federal Wiretap Act of 1968, which addressed interception of conversations using hard telephone lines but did not apply to interception of computer and other digital electronic communications. Several subsequent pieces of legislation, including the USA Patriot Act, clarify and update the ECPA to keep pace with the evolution of new communication technologies and methods, including easing restrictions on law enforcement access to stored communications.

In some cases, the ECPA has amended its protection of wire, oral, and electronic communications while those communications are being made, are in transit, and when they are stored on computers. The act applies to email, telephone conversations, and data stored electronically. The Identity Theft and Assumption Deterrence Act of 2009, commonly abbreviated as IDTA, is a piece of legislation in the United States that made it a federal offence to use another person's identifying information to commit a federal, state, or local crime. It also authorized the Federal Trade Commission to register complaints of identity theft and all federal law enforcement agencies to investigate and prosecute them. The passage marked the first time that identity theft became a crime in itself in the United States.

4. Lecture 4 - Software Licensing and Export Controls

With software becoming more prevalent in our everyday lives, we should become familiar with important concepts such as software licensing. While some may find the topic of licencing and the legality surrounding it complex, it is important for security professionals to familiarise themselves with the ins and outs of software licensing. A software licence is a legal instrument allowing the use or redistribution of software. Without the licence agreement, using the software would constitute a breach of copyright law. The particular licence agreement will explain to the end user how they can use the software, who may use the software, the locations of use, the number of servers, plus whatever the publisher decides to include in that agreement.

Software agreements can take on many different forms. In some cases, software agreements are detailed contracts that are negotiated between the software vendor and the customer. These types of contracts start off with an initial proposal from the vendor, which is then revised by the customer, and this process can go back and forth a number of times until an agreement is reached. This is commonly referred to as a negotiated contract. A click-through agreement is essentially the polar opposite of this approach. With a click-through agreement, the enduser is presented with a binary option to either accept or deny the contract. Another type of agreement that you should be familiar with is a shrink-wrap agreement.

By shrink wrap, we are referring to the physical shrink wrap around the software. These types of agreements immediately take effect as soon as the shrink wrap or seal on the software is broken. While software licencing is valuable, security professionals should have a broad understanding of the flow of information. Specifically, security professionals should be concerned with the types of information that cross international borders and the regulations surrounding them. In the United States, the government uses the category of regulations known as export controls to restrict the flow of goods and information considered sensitive for military and scientific purposes. International Traffic in Arms Regulation, otherwise known as ITAR, and the Export Administration Regulations are export control regulations run by different departments of the US.

Government. Both of them are designed to help ensure that defense-related technology does not get into the wrong hands. An export licence is a general term for both ITAR and export-controlled items in the US. government has granted permission to transport or sell potentially dangerous items to foreign countries. ITAR, which is the more stringent regulation, was written for articles with direct defense-related applications. The Export Administration regulations applied to technology and information that's considered dual use, or, in other words, technology or information that has both military and commercial applications.

Some of the categories covered under "Eirare sensitive electronics and computers" include lasers, navigation technology, marine systems, and more. Finally, the Office of Foreign Assets Control, or OSAK, restricts economic transactions with countries that are considered sponsors of activities considered contrary to the foreign policy of the United States.

5. Lecture 5 - Data Breaches and Ethics

While we hope that data breaches never occur, the unfortunate reality is that they do. Security professionals must be well informed of their ethical and legal responsibilities, which are governed by local and federal laws and regulations. Data breach laws can be applied to specific industries, or they may be jurisdiction-specific. For instance, the Payment Card Industry Data Security Standard, otherwise known as PCI, DSS is an information security standard for organisations that handle branded credit cards from major credit card schemes. If an organisation suspects or knows that it has suffered a breach of personally identifiable information, or PII, then these laws take effect. Elements of personally identifiable information include Social Security numbers, driver's licence numbers, and bank account numbers.

The scope may be broadened to include other information as well. One of the requirements may include organisations being required to notify individuals, government agencies, and law enforcement when a breach of PII has occurred. Some laws are jurisdiction-specific. The National Conference of State Legislatures maintains a website that links to the data breach notification laws. Of the states that have one in place, here's some helpful information Encryption is an easy way to protect your organisation against data breaches. In fact, many data breach notification laws include specific exemptions for encrypted data. Security professionals should conduct themselves in a manner that is ethically correct. Factors that should always take precedent are confidentiality, integrity, informed consent, transparency, and data sharing. Best Practices.

Hide

Security Policy

1. Lecture 1 - Compliance and Ethics

Welcome to Unit Four. Upon completion of unit four, we will achieve the following goals. First, we will be able to list the four types of security framework documents. We will also be able to identify which of the above-mentioned items are mandatory and which are optional. We will also be able to identify the factors that affect security policy. Furthermore, we'll be able to identify common policies organisations should have, and we'll understand the four key principles of information security. Let's get started. Security expectations and responsibilities are best communicated through clear written guidance. This can be best achieved through a security policy framework. A security policy framework consists of four different types of documents: policies, standards, guidelines, and procedures. A security policy is an overall general statement produced by senior management or a selected policy, board, or committee that dictates what role security plays within the organization. A security policy can be an organisational policy, an issue-specific policy, or a system-specific policy. Security policies are the foundation of a security program, and they take a very long time to put together.

It requires mandatory employee compliance and is only approved at the very highest level of an organization. Standards refer to mandatory activities, actions, or rules. Standards can give a policy its support, reinforcement, and direction. Organizational security standards may specify how hardware and software products are to be used. They may also be used to indicate expected user behavior. They provide a means to ensure that specific technologies, applications, parameters, and procedures are implemented in a uniform, standardized manner across the organization. They derive their authority from policies and provide specific details of security controls. They require a less rigorous approval process, and employee compliance with standards is mandatory. Guidelines are recommended actions and operational guides for IT staff, operational staff, and others.

When a specific standard does not apply, they can also be used as a recommended way to achieve specific standards. When those do apply, guidelines can deal with the methodologies of technology, personnel, or physical security. Guidelines provide organisations with security advice and ensure compliance. Compliance with the guidelines is not mandatory. Procedures are detailed, step-by-step tasks that should be performed to achieve a certain goal. The steps can apply to users, IT staff, operations staff, security members, and others who may need to carry out specific tasks. Many organisations have written procedures on how to install operating systems, configure security mechanisms, implement access control lists, set up new user accounts, assign computer privileges, audit activities, destroy material, and much more. Procedures outline actions step by step, and compliance may be mandatory or optional, depending on the organization.

Hide