The Internet is a global, publicly accessible hub of millions of interconnected networks forming the backbone of the information superhighway. However, this interconnection creates a gateway of vulnerability for security breaches and is the crux of the Internet's dark side. Exposing a business to the outside world increases the opportunity for security breaches. Internet security must be addressed as part of the overall security policy. The level of security required for Internet exploitation should not be left to the IT Manager to retro-fit after the business strategy has been defined. Internet security must be an inherent part of the overall business plan.
Policies
An information security policy consists of high level statements relating to the protection of information across the business and should be produced by senior management.
The policy outlines security roles and responsibilities, defines the scope of information to be protected, and provides a high level description of the controls that must be in place to protect information. In addition, it should make references to the standards and guidelines that support it. Businesses may have a single encompassing policy, or several specific policies that target different areas, such as an email policy or acceptable use policy. From a legal and compliance perspective, an information security policy is often viewed as a commitment from senior management to protect information. A documented policy is frequently a requirement to satisfy regulations or laws, such as those relating to privacy and finance. It should be viewed as a business mandate and must be driven from the top (i.e. senior management) downwards in order to be effective.
Standards
Standards consist of specific low level mandatory controls that help enforce and support the information security policy.
Standards help to ensure security consistency across the business and usually contain security controls relating to the implementation of specific technology, hardware or software. For example, a password standard may set out rules for password complexity and a Windows standard may set out the rules for hardening Windows clients.
Guidelines
Guidelines consist of recommended, non-mandatory controls that help support standards or serve as a reference when no applicable standard is in place.
Guidelines should be viewed as best practices that are not usually requirements, but are strongly recommended. They could consist of additional recommended controls that support a standard, or help fill in the gaps where no specific standard applies. For example, a standard may require passwords to be 8 characters or more and a supporting guideline may state that it is best practice to also ensure the password expires after 30 days. In another example, a standard may require specific technical controls for accessing the internet securely and a separate guideline may outline the best practices for using the internet and managing your online presence.
Procedures
Procedures consist of step by step instructions to assist workers in implementing the various policies, standards and guidelines.
Whilst the policies, standards and guidelines consist of the controls that should be in place, a procedure gets down to specifics, explaining how ...