Introduction
Hi all! Welcome back to the CeH series..So in this post we will be seeing some definitions to be aware of in security controls. Happy Learning! 😊
Information Assurance Vs Information Security
Similarities?
- They are concerned with risk assessment, and security policy development.
- Also concerned with the implementation of security controls.
Differences?
- Information assurance focuses more on risk assessment and mitigation whereas information security is more concerned with implementing security controls.
- Information assurance heavily influences security management programs such as compliance, user security awareness, disaster recovery etc. because of being risk assessment oriented.
- Information security focuses more on technical control implementation.Â
What are security policies?
Security policies are written guidelines and rules that define how an organisation protects its valuable assets, including information, systems, and people. They act as a foundation for cybersecurity and information assurance, aiming to mitigate risks, ensure compliance with regulations, and maintain a responsible digital environment.
Goals
- It should say what we can or cannot do.
- It maintains the CIA
- Reduce or prevent the loss of data or resources
- Lower the overall risks to the organization
- Liability of employees and third parties
- Resources should only be available to those who intend to
The Pillars of Protection: Understanding Essential Security Policies
In today’s digital landscape, safeguarding sensitive information is paramount for any organization. Security policies serve as the foundation for achieving this vital objective, outlining best practices and establishing clear guidelines for responsible data management. Let’s delve into four key security policies that play a crucial role in fostering a secure environment:
Password Policy
This policy acts as the first line of defense by dictating password creation, usage, and maintenance. It specifies:
- Minimum Length: Enforcing a minimum password length, typically eight or more characters, enhances complexity and resistance to brute-force attacks.
- Complexity Requirements: Mandating a combination of uppercase and lowercase letters, numbers, and symbols significantly strengthens password security.
- Regular Expiration: Requiring periodic password changes, such as every 90 days, mitigates the risk of compromised credentials remaining effective.
Acceptable Use Policy (AUP)
This policy clarifies the acceptable and unacceptable uses of company resources, ensuring responsible and ethical conduct. It typically addresses:
- Permitted Activities: Clearly defining authorized uses of company-owned devices, software, and networks prevents misuse and potential security breaches.
- Personal Use Limitations: Establishing boundaries for personal use on company resources ensures proper resource allocation and protects business integrity.
- Prohibited Activities: Outlining unacceptable actions, such as accessing banned websites or engaging in unauthorized data transfers, reinforces security measures.
Data Retention Policy
This policy governs the storage, management, and eventual disposal of data, ensuring compliance with regulatory requirements and minimizing security risks. It dictates:
- Data Classification: Classifying data based on sensitivity levels allows for appropriate retention periods and security protocols.
- Retention Periods: Defining specific retention periods for different data types ensures timely deletion of outdated or unnecessary information.
- Disposal Methods: Mandating secure disposal methods, such as data encryption and certified erasing procedures, safeguards sensitive information from unauthorized access even after deletion.
Access Control Policy:
This policy grants appropriate access privileges to various users within the organization, safeguarding sensitive data and systems. It delineates:
- Access Levels: Establishing a hierarchy of access levels ensures that users only have access to the data and systems they need to perform their duties.
- Least Privilege Principle: Adhering to the principle of least privilege grants users only the minimum access required for their roles, minimizing the potential damage from compromised credentials.
- Sensitive Data Restrictions:Â Implementing stricter access controls for highly sensitive data further enhances security and minimizes the risk of unauthorized exposure.
Conclusion
Thats it for this post, I hope you got a basic knowledge of security policies and controls 😅. It is important for organisations to have such security policies in order to manage the safety of their data and customers. And it is also important to revise the policies to keep the security controls updated. Anyways, I hope this post was useful. See you in the next post. Sayonara! 💜