The Official (ISC)2 SSCP CBK Reference. Mike Wills
Чтение книги онлайн.
Читать онлайн книгу The Official (ISC)2 SSCP CBK Reference - Mike Wills страница 38
All physical control systems elements should be documented and under formal configuration management and control appropriate to their physical nature. Concrete block exterior walls, for example, should not be subject to having holes drilled or cut into them without proper authorization. The security department might not control or manage all of this documentation or the change management processes for the structural elements of the physical security aspects of your systems; regardless, your organization's security needs suggest how closely the building maintenance teams and the security teams need to work with each other.
Administrative Controls
In most organizations and the cultures they are rooted in, there is a natural hierarchy of guidance and direction, starting with broad, sweeping, and visionary statements that get progressively less motivational as they become more prescriptive. Subsequent layers become proscriptive, tending to have as many “thou shalt nots” as they have “shall” statements in them (if not more). Although the names for many of these layers may be different in different settings and cultures, it's still reasonably useful to expect the same basic layers of policies, standards, procedures, baselines, and guidelines.
Policies
Policies are at the heart of what the organization is trying to accomplish. At a high level, policies provide critical instruction to senior executive management to implement measures to achieve external compliance expectations or support the larger strategic vision of the organization. This layer of senior management then promulgates these vision statements down to more tactical and operational managers both as policy statements and in finer-grained direction. As governance documents, the responsibility for creating and maintaining policy rests with the board of directors or other formalized group of senior stakeholders and leaders. As such, policies are one of the ways in which the board demonstrates due care. Boards can and often do delegate or direct that executive or operational management develop these policies and bring them back to the board for review and endorsement.
Policies, relative to other organizational documents, are less likely to change. They provide consistency to the organization's management, allowing the leadership to shape standards and create procedures that achieve the policy end. They should provide management with sufficient flexibility to adapt to new circumstances or technologies without a policy revision.
Mature organizations routinely review their policies within their governance processes. Changing external compliance expectations or shifts in business strategy almost always require changes in statements of policy and vision. Additionally, these same external factors may cause the organization to confront or consider changes to their previously established strategic goals and objectives, which will probably drive more policy changes. The policy review process must address the changing needs of external stakeholders to support predictability in execution of the policies by management.
The use of the term policy when implementing security practice in an organization is often confusing. For example, a password policy may, or may not, be of interest to the governing organization—but it certainly would be of interest to the management team! The organization's governance structure would likely express interest in ensuring access controls are present and that the compliance expectations are appropriate to the organization's needs at the policy level and leave to management the decision of how many times a password should be rotated. That management chooses to refer to the outcome of their due diligence as a policy is an organizational decision.
Sometimes referred to as subpolicies, these amplifying instructions further set behavior expectations for the organization. Some of the areas that might be addressed include passwords, cryptography, identity management, access control, and a wide range of other topics. The critical distinction is whether the instruction comes from the governance body (making it a policy) or whether it is derived from a higher-level policy by the organization's management.
This broad use of the term policy reflects one of the major challenges in our industry. A lack of a common language for information security practice has been repeatedly identified as one of the factors inhibiting the development of a common body of practice in the information security community. It is further complicated in an international environment where translations and cultural differences affect how people perceive information. In addition, the various standards bodies have published specific definitions for information security terms that may have nuanced differences between each other.
And if that's not confusing enough, there are many instances of operating systems configuration settings that are also called policies.
Standards
Once the organization has decided what it wants to accomplish, management can start to perform tactical planning and operational activities to carry out the intent of the policies. One tool to support efficient management of resources is the use of standards. Standards simplify management by providing consistency in control. External standards are ones developed outside of the organization, usually by governments or industry association standards-setting bodies such as the IETF or IEEE. These provide the world with a uniform vision, purpose, and set of details about the issues that the standard focuses on. Companies can also generate their own internal standards, which they may choose to make as mandatory on all of their systems. Regardless of where the standards come from, they are downward-directed by management onto lower levels of management and supervision to support the achievement of the organization's strategic goals and are tied directly to the organization's policies. Standards also represent a consensus of best practice, as understood by the body that issues the standard. Standards may also be required as part of legal or regulatory needs or because a contract with a key customer requires the standard to be applied to work performed under that contract.
Private organizations may be required to adopt certain standards to do business in a particular market. For example, if an organization wants a web presence, it has to take into account the standards of the World Wide Web Consortium (W3C) in developing applications.
While standards are a management tool, standards often evolve out of organizational practice. For example, selecting a particular vendor to provide a product may force a standard where none was originally contemplated. De facto standards often evolve inside organizations as different parts of the organization adopt a new technology, not as a conscious management decision.
Well-structured standards provide mechanisms for adaptation to meet local conditions. Through the use of baselines, an organization can shape a standard to better reflect different circumstances. Baselines enable the delegation of decision-making within strict parameters to lower levels of management.
Nevertheless, standards are directive in nature; compliance is not optional. At most, the standard itself and the contractual or legal requirement to abide by it may specify ways in which the application of the standard can be tailored to the task at hand. Organizations that adopt standards may also be required by those standards, by contracts, or by other compliance needs to monitor the successful application of and compliance with those standards.
Procedures
Procedural documents provide highly detailed task-oriented instructions. Procedural documents are useful when a high degree of compliance is necessary and the precise steps to achieve the outcome are not readily apparent to individuals not familiar with the environment.
Management, as part of its diligence responsibilities, enforces organizational procedures through