Cybersecurity governance consists of a structured framework of policies, standards/baselines, guidelines, and procedures. These components work together to ensure an organization’s security objectives are met and risk is managed effectively.
Policies
Policies are high-level statements that define an organization’s overall cybersecurity goals and objectives. They state what must be done and why, providing a broad framework without specifying how to do it. Policies are typically approved by senior management and apply to everyone in the organization.
Examples:
- Acceptable Use Policy: Defines how employees can use company resources, such as computers and the internet.
- Data Classification Policy: Establishes a system for categorizing data based on its sensitivity (e.g., public, internal, confidential, restricted).
- Remote Work Policy: Outlines the rules and requirements for employees working from non-office locations to protect company data.
Standards/Baselines
Standards/Baselines are mandatory rules that provide a more detailed level of what is required to achieve policy objectives. They specify the technologies, configurations, and security controls that must be used. Think of them as the technical specifications for implementing the policy.
Examples:
- Password Standard: Mandates specific requirements for passwords, such as minimum length (e.g., 12 characters), complexity (e.g., a mix of uppercase, lowercase, numbers, and symbols), and expiration frequency (e.g., every 90 days).
- Hardening Baseline: Specifies the minimum security settings for all servers, such as disabling unnecessary services, configuring firewall rules, and changing default administrator passwords.
- Encryption Standard: Requires that all data at rest on company laptops and all data in transit over public networks must be encrypted using a specific cryptographic algorithm (e.g., AES-256).
Guidelines
Guidelines are recommendations and best practices that provide additional context and advice for following policies and standards. Unlike standards, guidelines are not mandatory; they offer flexibility and help individuals make sound security decisions in various situations.
Examples:
- Email Security Guidelines: Recommends that employees verify the sender before opening attachments or clicking links in suspicious emails.
- Physical Security Guidelines: Suggests employees lock their computers when they leave their desks, even for a short time, and not hold doors open for un Badged individuals.
- Mobile Device Guidelines: Provides tips on how to securely configure personal mobile devices used for work, such as enabling screen locks and using secure Wi-Fi connections.
Procedures
Procedures are detailed, step-by-step instructions for performing a specific task or process. They describe the how-to part of cybersecurity governance, ensuring tasks are performed consistently and correctly. Procedures are often the most detailed component of the framework.
Examples:
- Incident Response Procedure: A checklist outlining the exact steps to follow when a security incident is detected, including who to notify, how to isolate affected systems, and how to document the event.
- User Provisioning Procedure: The step-by-step process for creating a new user account, including obtaining the necessary approvals, assigning permissions based on job role, and setting up multi-factor authentication.
- Vulnerability Scanning Procedure: A document detailing the schedule, tools, and steps for conducting regular vulnerability scans on network devices and applications.
Ready to get started on your cybersecurity governance implementation? We can help you determine which documents apply, assist in the development process, and adhere to best practices. Contact Us for a free consultation!