--Originally published at The Hitchhiker's Guide to information security… according to me!
Securing a system is like going to a buffet. You have a plate in mind, and you start looking for the food that could resemble the most to the idea of the perfect dish. After searching for a while you start picking up the best food you found and by the end your master piece is completed. In the information security world as well, there are many constraints, behaviors, procedures, steps to be taken, control and security mechanism, risk management frameworks, etc. that you can choose from, and picking the ones that better fit your system requirements is like grabbing all your favorite food and putting it into the same plate… just awesome, and that awesomeness is called a security policy.
A security policy is a document that explicitly states the steps to be taken in order for a company to maintain their physical and information assets secure. This goes from how to educate employees in order for them to correctly comply with the rules being set, to explanations on how to carry out, through detailed procedures, the security measures established. Think it like a constitution where we all agree to follow a set of rules in order to coexist in a peaceful way and build a better future for which we all agree to work for.
Then again, we stumble on the question “Ok, I know the theory but, how is it applied?” and thank God there are people out there that make our mortal lives easier, making frameworks for us in order to not fall into the darkness while we travel through this unknown land.
A security policy framework consist in the four following types of documents.
- Policies: documents that provide the security expectation of the organization. Its compliance is mandatory.
- Standards: document that describes Continue reading "Forging the future"