This document discusses the key components of an information security policy framework, including security policies, standards, guidelines, procedures, and baselines. It explains that a security policy framework establishes a hierarchy of documents to formalize the information security implementation. Security policies are broad strategic statements that assign responsibilities and define acceptable risks, while standards, guidelines and procedures provide increasingly granular tactical and operational guidance. Data classification is also covered, which is the process of categorizing data based on sensitivity to determine appropriate security controls.

1. DOMAIN 3: Information Security Governance and Risk
Management
# 3.05

2. CISSPills Table of Contents
 Security Policy Framework
 Security Policy Framework Hierarchy
 Security Policy
 Standards
 Guidelines
 Procedures
 Baselines
 Data Classification

3. CISSPills Security Policy Framework
In order to reduce the likelihood of a security failure, the information security
implementation has to be somewhat formalised by implementing a Security
Policy Framework (SPF).
An SPF involves the creation of a hierarchical set of documents that at each
level increase the level of details and cover specific information and issues.

4. CISSPills Security Policy Framework Hierarchy
Policies
Standards
Guidelines
Procedures
Strategic
Tactical

5. CISSPills Security Policy
This is an overall general statement produced by the senior management to define the
main security objectives and to outline the security framework of an organisation. It’s a
strategic plan for implementing security and is used to:
 assign responsibilities;
 define roles;
 specify audit requirements;
 outline enforcement processes;
 indicate compliance requirements;
 define acceptable risk.
The Security Policy is often used as a proof that management is exercising due care
and is compulsory.
Policies are written in broad terms, however more granularity is needed to support
them and this is where standards, guidelines and procedures come into play.

6. CISSPills Security Policy (cont’d)
 Organisational security policy: this focuses on issues relevant to every aspects of an
organisation. This is also referred to as master security policy;
 Issue-specific policy: this focuses on individual topics that the management feels need
more detailed explanations and attention to make sure a comprehensive structure is built
(e.g. e-mails);
 System-specific policy: this focuses on individual systems, or types of systems, and
outlines how these should be protected (e.g. databases).
In addition to these focused types of policies, there are three overall categories of security
policies: regulatory, advisory and informative.
 Regulatory policy: this type of policy ensures that the organisation is following standards
set by specific industry regulations (e.g. HIPAA, PCI-DSS, etc.); it’s very detailed and specific
to a type of industry (e.g. Financial Services);
 Advisory policy: this type of policy discusses behaviours and activities that are acceptable
and defines consequence of violations;
 Informative policy: this type of policy is designed to provide information or knowledge about
a specific subject; it’s not enforceable, but rather teaches individuals about specific issues.

7. CISSPills Standards
Standards are mandatory activities, actions or rules that help supporting and
reinforce policies.
They are tactical documents, which ensure that specific technologies,
applications and parameters are applied in a consistent fashion
(standardised) across the organisation.
It is more granular than a policy and specify how protection should be
implemented and followed.

8. CISSPills Guidelines
Guidelines are the next tier in the SPF hierarchy and offer recommendation
on how standards are implemented and serve as operational guides for both
security professionals and users.
Whereas standards are specific mandatory rules, guidelines are not
compulsory.

9. CISSPills Procedures
Procedures are the final element of the hierarchy; they provide detailed step-
by-step documents that describe the exact actions necessary to implement a
specific security mechanism, control or solution.
The purpose of a procedure is to ensure the integrity of a business process: if
everything is accomplished by following the detailed steps, then all the
activities should be in compliance with policies, standards and guidelines.
Procedures ensure standardisation of security across all systems.

10. CISSPills Baselines
The term baseline can have two meanings:
 It can refer to a point in time configuration/status that is used as a
comparison for future changes;
 It can also refer to define the minimum level of protection required.

11. CISSPills Data Classification
Data Classification is the process of organising items, information, objects
and so forth based on their need for secrecy, sensitivity or confidentiality.
The reason for this categorisation is because securing any asset in the same
way is not cost-effective; hence data classification is the practice by which it
is possible ensuring that assets are protected proportionally to their level of
criticality.
Once data are categorised according to their sensitivity level, it is possible
deciding what security controls are necessary to protect the different
classification levels.
Data classification allows to follow a risk-based approach when it comes to
asset protection, which means that the number and strength of controls
deployed for an asset depends on its importance.

12. CISSPills That’s all Folks!
We are done, thank you for the interest! Hope you have enjoyed these pills as much
as I have had fun writing them.
For comments, typos, complaints or whatever your want, drop me an e-mail at:
cisspills <at> outlook <dot> com
More resources:
 Stay tuned on for the next issues;
 Join ”CISSP Study Group Italia” if you are preparing your exam.
Brought to you by Pierluigi Falcone. More info about me on
Contact Details