Part 1: Research Security Policy Frameworks (0/2 completed)
Note: In this part of the lab, you will review internet resources on security policy frameworks to form a basis for their purpose and usage. Understanding the reason behind a security policy framework is key to understanding the component policies and procedures. Please take the time to review the research thoroughly and think through the concepts behind the framework itself.
In your browser, navigate to https://www.sans.org/reading-room/whitepapers/policyissues/information-security-policy-development-guide-large-small-companies-1331.
Read Sections 1-5 of the SANS Policy Development Guide.
Summarize the Policy Development Guide’s recommendations for organizing a policy hierarchy and selecting policy topics.
Note: It is important to understand how and why a policy differs from a standard, a procedure, and a guideline. From the top down, the policy should not change or need modification unless a major shift in corporate values or business process occurs. On the contrary, guidelines should be reviewed, and possibly changed, often.
Similarly, even though a policy should be written clearly and concisely, it is a high-level document answering the “why” questions. Standards are also high level, but they answer the “what” questions. Finally, the procedures and guidelines provide the “how.”
Examples of security policy and guideline templates are available from the SANS Institute at https://www.sans.org/information-security-policy/.
In the next steps, you will learn about COBIT 2019, a popular industry-standard policy framework.
In your browser, navigate to https://www.cio.com/article/3243684/what-is-cobit-a-framework-for-alignment-and-governance.html.
Describe the core principles and objectives of COBIT 2019.
Part 2: Define a Security Policy Framework (0/2 completed)
Note: Understanding both unique and universal risks to your organization’s IT infrastructure is essential to developing an appropriate IT security policy framework for your organization. In this part of the lab, you will review a list of risk, threats, and vulnerabilities and define appropriate policies to mitigate them. Next, you will organize your policies into a policy framework.