< All Chief Information Security Officer (CISO) Notes

richardb8006 | Chief Information Security Officer (CISO) | Module 5 - Policies, Procedures, Standards & Guidelines

By: richardb8006 | Related Course: Chief Information Security Officer (CISO) | Published: February 6, 2018 | Modified: February 7, 2018
Join Cybrary

NotepadModule 5 - Best practices

This lesson wraps up our section on policy.  Instructor Kelly Handerhan will leave you with some practical suggestions that should make your policy writing much more effective and easily understood; which will only enhance compliance.

  • Less is more; don’t “over-write”
  • Know your audience and write to their level
  • Always keep the subject/verb close together
  • Use the “active voice” when possible; it is more directive and implies ownership
  • Make it professional- be consistent in the use of font and styles

Always include an introduction in which you make your case and present the business justification for that particular policy.  Always attain sign off from employees.

NotepadModule 5 - CIA policies

In this lesson, instructor Kelly Handerhan will explain the policies that we use to protect the organizations C-I-A.

Separation of duties: works very closely with the idea of least privilege and “need to know.”  An employee will only be given the rights to perform the activities that are necessary for their job. It mitigates the success of exploits such as social engineering.

Acceptable Use Policy (AUP):  the organization dictates what the acceptable use of company resources is.

Mandatory Vacations – is an effective detective tool.  If there has been a spate of unexplained security breaches or other untoward activity; sometimes separating an employee from the company for a specified period will demonstrate who the culprit is.

Job rotation – is an effective way to cross-train staff to ensure redundancy in the event a particular staff member is absent for some reason.

Least privilege – is much like separation of duties and ensures data security by preventing any one employee from being to access more information or resources than they are required to in order to perform their assigned duties.

Need to know:  ensures that no staff member possesses more information than they are required to in order to efficiently perform their job.

Dual control: is used when a task or function is so sensitive that it is more secure to split the task between two team members.

Computer ownership: who owns a company laptop?

Onboarding/offboarding: how do we bring people in and let them go from the organization?

NotepadModule 5 - Exceptions of policies

In this lesson, we will look at exceptions in the realm of policy management.  While policies are intended to be inclusive, there will be situations where exceptions to that policy will be required.  Whether it’s hardware that cannot be brought into compliance or staff who necessarily must be exempted; there must be a procedure set up to deal with the inevitable exceptions to policy.

The Process of Managing Exceptions

The procedure for how exception requests are submitted, evaluated and documented must be documented.  An exception request form should be customized and standardized, and consequently used as a template.

There must be a concomitant response form that will be completed by the individual who approves or rejects the exception request, and a tracking log should be kept of all exceptions that have been granted.

There are supplementary documents that should be included in the exception process:

  • Descriptions of roles and responsibilities
  • Technology standards
  • Workflows demonstrating how security functions performed by different departments combine to ensure secure data handling
  • Guidelines that advise on the easiest ways to comply with security policy.

NotepadModule 5 - Intro and liability

In this lesson participants will be introduced to key concepts in policies, procedures, standards and guidelines as they pertain to risk management and legal liabilities.  You will learn about the constraints affecting an organization, and details regarding each particular constraint.

What are our constraints?

  • Legal
  • Physical and environmental
  • Ethics
  • Culture
  • Costs
  • Personnel
  • Organizational structure
  • Resources (capital, technology, people)
  • Capabilities (Knowledge, training, skills)
  • Time
  • Risk appetite

Legal drivers as they pertain to liability:

  • Failure of management to execute Due Care and/or Due Diligence can be termed negligence.  Culpable negligence is often used to prove liability in a court of law
  • The Prudent Man Rule: You are expected to perform duties in the same manner as a prudent person in similar circumstances

An example of Due Care would be the setting of policy, and an example of Due Diligence would be enforcing that policy.

  • Downstream liabilities; integrated technology with other companies can extend one’s responsibility outside the normal bounds

The use of outsourcing and third party service providers can increase the risks to the organization.  We are only transferring risk when we use outsourcing, but we have no guarantee that the third party will recompense us in the case of loss.

NotepadModule 5 - Policy basics

In this lesson, instructor Kelly Handerhan covers the basics of policy. We’ve looked at risk, we moved on to strategy, now it’s time to write our policies.

When we talk about policies, we’re talking about high-level statements from senior management. For example; a security policy is likely to be very broad in nature.

After corporate strategy is developed, next comes;

  • Policies: broad, high-level statements addressing topics such as; what is the organization’s desired security posture?  What does the organization need to do to maintain its security posture?
  • Standards: standards will supply specifics to policy, such as; how will users protect their workstations?  How will servers be hardened?
  • Procedures: a detailed “how to” detailing step by step instructions
  • Guidelines: helpful suggestions for best practices

What should policy include?

  • Scope: it should address all information, systems, facilities, programs, data, networks and all users of technology in the organization, without exception
  • Information classification: should provide content-specific definitions
  • Management goals for secure handling of information in each classification category
  • Placement of the policy in the context of other management directives and supplementary  documents
  • References to supporting documents
  • Specific instruction on well-established organization-wide security mandates
  • Specific designation of well-established responsibilities
  • Consequences for non-compliance

NotepadModule 5 - Policy lifecycle

This lesson covers how we’ll manage the policy lifecycle.


Chances are good that when you assume the role of CISO at an organization that there are already good policies in place.  Effective management of the policy lifecycle, from creation to retirement will involve:


  • Reviewing the existing policies
  • Consolidation of policy


Policy review should be regularly scheduled and executed at least once a year.  Policy review should also be executed in the event of:


  • Changes to management structure
  • Changes to network infrastructure
  • On the occasion of major upgrades
  • When there were acquisitions


Reviewers and approvers of policy must be identified.


  • Utilize Information Security Team, SME’s, Auditors, legal, etc.
  • Determine who should be the reviewers and approvers for each update
  • Remember that ultimately it’s up to the system owner to approve
  • Notify them that they will be asked to provide input – beforehand!
  • Provide an approximate schedule if possible


When conducting reviews, you must:


  • Carefully review the materials that were sent
  • Determine whether the content and wording are acceptable
  • Be careful not to base an approval decision on whether or not the company is currently in compliance with the policy
  • Approval should be based on the appropriateness of the requirements
  • main deliverable is completed review
  • this can’t be done? Why not?

Identify gaps

  • Assess current policies and identify gaps
  • review with auditor
  • Document and prioritize gaps
  • Missing statements, sections or policies
  • Weak statements

Create new or revise existing documentation

  • utilize information security team, SME’s, auditors, legal etc.
  • make appropriate changes to existing documents, or create new documents
  • follow the prioritized enhancement list
  • distribute for review when complete
  • main deliverable is new and/or updated documents

Provide feedback

  • Document all feedback and forward to the authors or schedule a meeting to discuss
  • if feedback is legitimate, update the documentation
  • it may be more appropriate to make a change other than the one suggested that still meets the spirit of the comment
  • if the feedback demonstrates a misunderstanding on the part of the reviewer, consider updating the wording in the document to clarify because others may have the same confusion
  • document a response to each feedback item – whether or not a change was made, and if not, why not
  • main deliverable: documented and delivered feedback

obtain approval

  • sign off from applicable approvers – who?
  • sign off from executives
  • a large number of security documents may overwhelm reviewers/approvers/executives
  • main deliverable: approved document



< All Chief Information Security Officer (CISO) Notes
Join Cybrary

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?