1.

Security Practices – Overview

Security practices are structured activities and controls that protect an organization’s
information assets from threats such as cyberattacks, insider misuse, natural disasters, and
system failures.

They ensure:

 Confidentiality
 Integrity
 Availability
(also called the CIA Triad)

Security practices are not just technical. They include management decisions, policies,
procedures, and recovery planning.

2. Security Management
What is Security Management?
Security Management is the process of planning, implementing, monitoring, and improving
security controls in an organization.

It ensures that security is aligned with business objectives.

Key Components
1. Governance

 Defines who is responsible for security.

 Establishes authority and accountability.
 Example: Appointment of a CISO (Chief Information Security Officer).

2. Security Planning

 Identifying assets
 Identifying threats and vulnerabilities
 Defining controls

3. Implementation of Controls

Controls may be:

 Administrative (policies, training)

  Technical (firewalls, encryption)
 Physical (CCTV, access cards)

4. Monitoring and Review

 Audits
 Security logs review
 Compliance checks

Objectives
 Reduce risk
 Protect organizational reputation
 Ensure legal and regulatory compliance

3. Security Policy
Definition
A Security Policy is a formal document that defines how an organization protects its
information assets.

It acts as the foundation of all security practices.

Types of Security Policies

1. Enterprise Information Security Policy (EISP)

 High-level document
 Defines security vision and objectives

2. Issue-Specific Security Policy (ISSP)

 Focused on specific topics

 Example: Email usage policy, Password policy

3. System-Specific Policy (SSP)

 Technical details
 Configurations and system-level controls

1⃣ Enterprise Information Security Policy

(EISP)
What is EISP?
Enterprise Information Security Policy is the highest-level security document in an
organization.

It defines:

 The organization’s security vision

 Security objectives
 Roles and responsibilities
 Management commitment

It is strategic in nature, not technical.

Think of it as the “constitution” of organizational security.

Key Characteristics
 Approved by top management
 Broad and organization-wide
 Technology-independent
 Defines accountability structure
 Mandatory for all employees

What Does EISP Typically Include?

1. Purpose of security
2. Scope (who and what it applies to)
3. Security objectives
4. Roles and responsibilities
5. Compliance requirements
6. Legal and regulatory obligations
7. Consequences of policy violation

Example of EISP (Banking Organization)

Statement of Intent:
“The organization is committed to protecting customer data and financial information from
unauthorized access, disclosure, alteration, and destruction.”

Security Objectives:
  Protect customer confidentiality
 Maintain integrity of financial transactions
 Ensure availability of banking systems

Roles:

 CISO responsible for implementation

 Employees responsible for compliance
 IT department responsible for monitoring

Notice: No technical details like firewall configuration are included here.

2⃣ Issue-Specific Security Policy (ISSP)

What is ISSP?
Issue-Specific Security Policy focuses on a particular security issue or topic.

It addresses specific risks and provides rules related to that issue.

It is more detailed than EISP but still not deeply technical.

Common Examples of ISSP

 Password Policy
 Email Usage Policy
 Internet Usage Policy
 Social Media Policy
 Remote Access Policy
 BYOD (Bring Your Own Device) Policy

Structure of ISSP
1. Purpose
2. Scope
3. Acceptable use
4. Prohibited use
5. Enforcement
6. Sanctions (A sanction is either an official authorization/permission (approval) or,
conversely, a restrictive penalty intended to enforce obedience to laws or rules )
Example 1: Password Policy (ISSP)
Purpose:
To ensure strong authentication mechanisms.

Requirements:

 Minimum 12 characters
 Must include uppercase, lowercase, numbers, special characters
 Change every 90 days
 Account locked after 5 failed attempts

Prohibited:

 Sharing passwords
 Writing passwords on paper
 Using default passwords

Example 2: Email Usage Policy

Allowed:

 Official communication
 Business-related attachments

Prohibited:

 Sending confidential data without encryption

 Opening suspicious attachments
 Using company email for illegal activities

Consequences:
Violation may lead to disciplinary action.

3⃣ System-Specific Policy (SSP)

What is SSP?
System-Specific Policy contains detailed technical instructions for specific systems.

It is highly technical and used by IT administrators.

It defines:

 System configurations
 Access control settings
 Network security rules
 Encryption standards

Characteristics
 Technical in nature
 Applies to specific systems or applications
 Includes configuration details
 Used by IT and system administrators

Example 1: Database Server SSP

System: Customer Database Server

Security Controls:

 Database must use AES-256 encryption

 Only DBA group has administrative access
 Firewall must allow only port 3306 from internal network
 Daily backup at 2:00 AM
 Logs retained for 180 days

This is very technical and not for general employees.

Example 2: Web Server SSP

System: Company Web Server

Configuration Rules:

 HTTPS mandatory (TLS 1.3 only)

 Disable directory browsing
 Disable unused services
 Patch updates applied within 7 days
 Enable intrusion detection monitoring
Characteristics of a Good Policy
 Clear and understandable
 Enforceable
 Approved by top management
 Regularly updated

Example
Password Policy:

 Minimum 12 characters
 Must include special characters
 Change every 90 days
4. Risk Management
Definition
Risk Management is the process of identifying, analyzing, and controlling risks to
information systems.

Risk = Threat × Vulnerability × Impact

Risk Management Process

Step 1: Risk Identification

Identify:

 Assets (servers, databases, software)

 Threats (hackers, malware, fire)
 Vulnerabilities (weak passwords, outdated software)

Step 2: Risk Assessment

Determine:

 Likelihood of occurrence
 Impact on business

Risk can be:

 High
 Medium
 Low

Step 3: Risk Treatment Options

1. Risk Avoidance
Stop the activity causing risk.
2. Risk Mitigation
Apply controls to reduce risk.
3. Risk Acceptance
Accept minor risk if cost of control is high.

Step 4: Risk Monitoring

Continuous review and improvement.

5. Information Classification Process
What is Information Classification?
It is the process of categorizing information based on sensitivity and importance.

Why It Is Important?
 Prevents unauthorized access
 Protects confidential data
 Helps in applying appropriate controls

Common Classification Levels

1. Public
Freely available. Example: Website content.
2. Internal
For employees only.
3. Confidential
Sensitive business information.
4. Highly Confidential / Restricted
Critical data like financial records, medical records, intellectual property.

Classification Process Steps

1. Identify Information Assets
2. Determine Sensitivity Level
3. Label the Information
4. Apply Security Controls
5. Periodic Review

Example
Student Database:

 Marks and personal details → Confidential

 College brochure → Public

6. Security Procedures and Guidelines

Difference Between Policy, Procedure, and Guideline
Policy → What must be done
Procedure → How it must be done
Guideline → Recommended practice

Security Procedures
Step-by-step instructions to implement policy.

Examples:

 Incident response procedure

 User account creation procedure
 Backup procedure

Example: User Account Creation Procedure

1. HR approval
2. Manager approval
3. IT creates account
4. Temporary password assigned
5. User signs security agreement

Security Guidelines
Best practice recommendations.
Not mandatory but strongly suggested.

Example:

 Avoid using public Wi-Fi

 Enable multi-factor authentication

7. Business Continuity
Definition
Business Continuity ensures that essential business functions continue during and after a
disaster.

Focus: Continue operations.

Business Continuity Planning (BCP)

BCP is a documented plan to maintain operations during disruptions.
Key Elements of BCP
1. Business Impact Analysis (BIA)
o Identify critical business functions
o Determine maximum tolerable downtime
2. Recovery Time Objective (RTO)
o Maximum acceptable downtime
3. Recovery Point Objective (RPO)
o Maximum acceptable data loss
4. Alternate Site Planning
o Hot Site (Fully ready)
o Warm Site (Partially ready)
o Cold Site (Basic infrastructure)

8. Disaster Recovery (DR)

Definition
Disaster Recovery focuses on restoring IT systems after a disaster.

Focus: Restore technology infrastructure.

Difference Between BCP and DRP

Business Continuity → Keeps business running
Disaster Recovery → Restores IT systems

Disaster Recovery Plan (DRP) Includes:

 Backup strategy
 Data restoration procedures
 Emergency contact list
 Roles and responsibilities
 Testing and drills

Types of Backups
 Full Backup
 Incremental Backup
 Differential Backup

Example Scenario
If a data center catches fire:
  DRP restores servers from backup.
 BCP shifts operations to alternate location.

9. Relationship Between All Concepts

Security Management → Overall control
Security Policy → Rules and expectations
Risk Management → Identifies and reduces threats
Information Classification → Protects sensitive data
Procedures & Guidelines → Operational implementation
Business Continuity → Keep business running
Disaster Recovery → Restore systems after failure

All together they create a complete security framework.

10. Classroom Discussion Questions

1. Why is security policy ineffective without management support?
2. Is risk ever completely eliminated?
3. Should all data be classified as confidential?
4. What is more important: Business Continuity or Disaster Recovery?
5. Can small organizations ignore BCP?