hi and welcome to module to lessen eight. And this lesson we're gonna talk about policy.
Up to this point, we've talked about all of the different layers of security and the components at each layer. But now we want to talk about establishing a policy that that formerly regulates how we interact with all of these different components and how are in users interact with the environment.
There's a lot of different policies. I'm gonna talk about some of the common policies that are used in organizations in this section,
first up, acceptable use policy, and that just dictates how company assets and system should be used, What's acceptable and not acceptable. Can I open personal email on my on my work? Laptop or not? What things can I do? And can I not do on my company devices?
Next up is an access control policy, and that can cover things like password complexity, that data classification that we talked about during the DLP section that could be covered here. You can outline what the different classifications are of data and who should access them and what security models you use to access them could be covered in the access control policy,
even things like unattended workstations. Maybe you have a policy that says you have to lock the workstation if it's unattended.
That should be written in an access control policy and in user should sign off on it or acknowledge it that they've seen it
change management policy is just gonna be the formal policy that covers that outlines all of those things we talked about during the change management section. It's going toe cover things like the meeting schedule. Window change management meetings happen. How do things get approved and what the general processes from
getting approval to implementation to any kind of post activities
after the change that need to occur?
An incident response plan is something every organization needs. You never want to think about a breach happening or a bad security incident happening. But you want to have a plan in place. In case it does, you want to be prepared. This plan can cover things like containment and eradication. How do we stop the bleeding? How do we eradicate the threat?
I should also cover things like forensics handling, and this is a very important one because
if you're attacked in a if you're attacked in cyberspace Once you contain and eradicate that situation, you may want to take legal action against whatever entity attacked you. If you don't handle the data properly in that initial firefighting in that initial containment phase,
none of the information that you gather can be used as evidence in a legal setting.
So understanding chain of custody and and having a plan in place on how to handle data when you're gathering artifacts from systems during an incident is very important. If you want to take legal action after the incident,
a communications plan is pretty important. It can be placed into the incident response plan, you know? Are we gonna notify the press? When do we need to look? Notify law enforcement? Who's gonna call the CEO All of those type things? Do we need to notify shareholders how we're going to do this? Who's going to do the notification? All of those things could be included in the community clip
in the communications plan
section of the Incident Response plan.
Remote access policy simply covers the method for remotely connecting to the internal network. Can I use my personal laptop to connect to the network. Can I use my personal phone? Do I need to use a company device? All of those types of things
disaster recover Paula Recovery policy is that can work in conjunction with that incident response plan and is basically going to just establish a process for recovering systems and data. So in the event that an incident turns into a disaster or that just we have some local disaster, that happens, how do we recover those systems
now? This is normally part of a larger business continuity plan
in a business continuity plan simply coordinates efforts across the entire organization in the event of some sort of disaster.
How do we prioritize which systems come up first, Right. Some systems are more impactful and others, and we need to know which ones come up first. And the method for bringing those up
The purpose of the business continuity plan is to simply outline how the business is gonna operate during an emergency while systems air coming back up. Once everything's back up and running and recovery is complete, then you can exit the business, continuity the process and go back into normal operating process.
Okay, these were a few of the policies. There's many different policies. You can create those a few of the common ones and organizations. So that brings us to the end of our policy section. Next up, we're gonna talk about taking a risk based approach to everything we've talked about so far.