Reducing Risk with Security Policies – CompTIA Security+ SY0-401: 2.1

The backbone of any security strategy is the creation and management of security policies. In this video, you’ll learn why policies are important and which parts of the organization will be involved in the creation of security policies.

<< Previous Video: False Positives and False NegativesNext: Calculating Risk >>

As human beings, we tend to have a love-hate relationship with policies. I’m sorry, that’s not our policy. I’m sorry, we can’t do that, it’s not something that we do according to the policy that we have. It’s often a barrier that’s put in place, but from a security perspective, these policies are things that everybody is made aware of. It’s things that also allow you to do your jobs, so they become very important.

Your security role starts and ends with these policies. The better policies you have, the better security you’re enabled to have on your network. If you don’t have very good policies, you’re not going to have very much but you can do from a security perspective to keep your organization safe. So this is not something that you create and you’re done, this is something that you build and you continue to build on. It is a living document that you’re constantly enhancing, improving, and changing based on the way your organization is changing.

Security policies cover a lot of different areas. They might cover physical security. What doors need locks? What happens when somebody enters the building in they’re a visitor, how do you handle that person? What happens if you show up at work and you’ve forgotten your badge? There should be a set of policies associated with that.

Policies are also technical policies. How you handle change control on your firewall? What happens if a machine gets a virus? What if that particular machine has confidential information on it? These are all things that must be considered. And you have to make sure there’s a policy, so when that particular situation occurs, everyone knows the proper procedure to go through to handle that particular issue.

There are policies for human resources. And from a security perspective, that becomes pretty important. You want to be sure when somebody is hired into the organization, when somebody is fired or leaves the organization, you need to know exactly what to do. You never want to have somebody’s credentials still remain on when they are no longer part of your organization. So there’s a number of things you could do from a human resource perspective.

There’s also business policies. Think about the things that you do as an organization and the way things are handled. How is information that is private to the organization handled? How to handle the release of press releases and other internal documents within your organization? You need to set policies on that as well.

If you’re doing any type of encryption on your web servers, on your email servers, on your database servers– there are certainly a set of certificates that have been loaded on those machines. And being able to manage the certificates– keeping them secure, understanding who has access to those, how you build those certificates out, how you roll out trusted certificate authorities in your environment– all that falls under certificate policies.

And this is something you really have to consider. Whenever you start building out encryption and decryption creation on your servers, you’ll find very quickly, the management of these certificates is quite a job. And if you don’t have policies set up to allow, disallow, and manage changes of those things, it can become very, very bad over a long term. Because you’re not sure exactly where your certificates are, who managed them, what are the pass phrases are associated with those certificates– it becomes a bit of a challenge.

So make sure if you’re doing more and more with certificates, that you have a set of policies that you follow. And like everything else, that policy will continue to evolve as your certificates become in broader use, and people are using them more on servers and on workstations.

One of the more important policies you’ll run across, as one that we’ve dedicated a number of videos to, is incident response. That is one of the things you always hate having to deal with as a security person. But it very often, it’s one the most important things you have to consider. This very, very short period of time when an incident occurs and the time you’re able to respond to it, can become very, very important for preserving data, keeping things private, maintaining up time, and ultimately maybe even having legal repercussions down the road against someone who may have caused an incident in your environment.

So that’s a very broad set of policies. It is one that almost certainly you’re involving your HR department, your legal department, and other parts of your organization to help build, because you have to know when an incident occurs– what do I have available to me? What options are available? Who should I contact? What can I do? And the better the policy is, the better you’ll be able to respond when those incidents happen.