INFORMATION SECURITY AND AUDIT
SECUIRTY POLICIES AND OBJECTIVES
Security Policies
Security policies are formalized rules and procedures designed to protect information systems from threats and ensure compliance with laws and regulations.
Security Objectives
Security objectives are specific goals that an organization aims to achieve to maintain a secure information system environment. Key security objectives include:
- Confidentiality:
- Ensures that sensitive information is accessible only to authorized individuals.
- Implements encryption, access controls, and data masking techniques to protect data.
- Integrity:
- Maintains the accuracy and completeness of information and systems.
- Uses checksums, hashes, and data validation methods to detect and prevent unauthorized modifications.
- Availability:
- Ensures that information systems and data are available when needed.
- Implements redundancy, disaster recovery planning, and regular backups to maintain system availability.
- Authentication:
- Verifies the identity of users, devices, and systems before granting access.
- Utilizes multi-factor authentication, biometric verification, and secure tokens.
- Authorization:
- Defines and enforces what authenticated users are allowed to do within the system.
- Implements role-based access control (RBAC) and attribute-based access control (ABAC).
- Non-repudiation:
- Ensures that actions and transactions can be traced to their origin.
- Uses digital signatures and audit logs to prevent denial of actions or transactions.
Network Security Policy
Network security policies outline strict guidelines on how an organization uses, manages, and protects its network-based assets.
Information Security Policy
An information security policy is a set of rules and guidelines on how to use, manage, and protect sensitive data.
Need of Information Security Policy
- Establish a general approach to information security
- Document security measures and user access control policies
- Detect and minimize the impact of compromised information assets such as misuse of data, networks, mobile devices, computers and applications
- Protect the reputation of the organization
- Comply with legal and regulatory requirements like NIST, GDPR, HIPAA
- Protect their customer's data, such as credit card numbers
- Provide effective mechanisms to respond to complaints and queries related to real or perceived cyber security risks such as phishing, malware and ransomware
Example of Security Policy
Let X be a set of entities and let I be some information.
Then I has the property of confidentiality with respect to X if no member of X can obtain information about I.
Then I has the property of integrity with respect to X if all members of X trust I.
Then I has the property of availability with respect to X if all members of X can access I.
A security mechanism is an entity/procedure that enforces some part of the security policy.
Key Elements of Security Policy
- Information security objectives
- Purpose
- Data classification
- Security awareness training
- Audience
- Authority and access control policy
- Data support and operations
- Responsibilities and duties of employees