Security Policy and Governance Guide (SPG)

🔐 Security Policy & Governance Guide

Let's explore Security Policy and Governance step by step with detailed explanations and real-world relevance.

---

OBJECTIVE OF SECURITY POLICY AND GOVERNANCE

Security Policy and Governance is about protecting an organization's information assets by establishing rules, practices, and processes to manage and control security effectively.

1. Legal & Regulatory Environment ▶

• Every country or industry has laws and regulations (GDPR, HIPAA, PCI-DSS, etc.) to protect sensitive data.
• These regulations define how data should be stored, processed, and transmitted.
• Organizations must ensure their information security policies align with legal obligations to avoid penalties.

Example: If a hospital stores patient records, it must comply with health data protection laws (like HIPAA). A data leak could result in legal action.

2. Information Security Concept ▶

• Information Security (InfoSec) is about protecting information and systems from unauthorized access, use, or destruction.
• The main goal is to preserve the Confidentiality, Integrity, and Availability (CIA Triad) of information.

CIA Triad:

• Confidentiality: Only authorized people can access the data.
• Integrity: Data is accurate and not tampered with.
• Availability: Data is accessible when needed.

Example: A bank website must protect customer credentials (confidentiality), ensure balances aren't altered (integrity), and be available 24/7 (availability).

3. Security Governance & Planning ▶

• Security Governance directs and controls information security.
• It involves setting strategic goals, defining roles (e.g., CISO), allocating resources, and establishing policies.

Security Planning includes:

• Risk assessments
• Business continuity plans
• Incident response strategies

Why it's important: Without governance and planning, security efforts become random and ineffective.

4. Developing & Maintaining Security Policies ▶

• A Security Policy is a written document outlining how an organization protects its data and assets.
• It includes rules, procedures, roles, and enforcement mechanisms.

Types of Security Policies:

• Acceptable Use Policy: How users should use company systems.
• Access Control Policy: Who can access what data.
• Password Policy: Password complexity and rotation rules.
• Incident Response Policy: Steps to handle a breach.

• Develop based on risk and regulatory needs.
• Communicate policies through training and documentation.
• Review regularly and update as needed.

5. Risk Management ▶

• Risk Management is identifying, assessing, and mitigating risks to data and systems.

Why manage risk? You can’t secure everything equally. Risk management helps prioritize efforts.

1. Identify Risks – What can go wrong? (e.g., malware, phishing)
2. Assess Risks – Likelihood and impact?
3. Mitigate Risks – Apply controls (antivirus, training, firewalls)
4. Monitor & Review – Risks change over time.

6. Risk Identification & Control Categories ▶

Risk Identification: Spotting all possible ways data or systems could be compromised.

Control Classification Categories:

• Administrative Controls: Policies, procedures, training
• Technical Controls: Firewalls, encryption
• Physical Controls: CCTV, locks, guards

Example: To protect a data center:

• Admin: Security policy and training
• Technical: Encryption, access control systems
• Physical: Biometric access, surveillance cameras

---

📘 UNIT 1: INTRODUCTION TO MANAGEMENT OF INFORMATION SECURITY

🧩 Asset ▶

An asset is anything valuable to an organization that needs protection.

• Logical (Digital) Assets: Software, databases, websites, emails, IP.
• Physical Assets: Servers, desktops, routers, buildings.

Assets are the target of most attacks. Asset identification is the first step in building a security framework.

💾 Information Asset ▶

A subtype of asset, specifically information and the systems that store or transmit it.

• Customer databases
• Payroll records
• Source code
• Email systems
• Cloud storage with business data

Protecting information assets is the primary goal of cybersecurity policies and tools.

🔐 Information Security ▶

🎯 Objective:

To ensure that information assets are protected from:

• Unauthorized access
• Alteration or deletion
• Disruption or denial of access

🔁 Focus Areas:

• Confidentiality: Encryption, access control, secure passwords
• Integrity: Checksums, digital signatures, hashing
• Availability: Backups, fault-tolerant systems, uptime monitoring

🛠 Protection Mechanisms:

• Policy: Clear rules and standards
• Training: Educating employees
• Awareness Programs: Posters, emails, events
• Technology: Firewalls, anti-virus, authentication tools

🔁 Real-World Analogy ▶

Think of information security like protecting a house:

• Confidentiality: Lock the doors – only authorized people enter.
• Integrity: Ensure nothing inside is moved or damaged without permission.
• Availability: The house is always accessible to the owner.

Just like you use alarms, keys, and fences to protect your house, in cybersecurity, you use policies, software, and training to protect information.

---

✅ Summary

• Why security policies and governance are crucial.
• How legal requirements impact information security planning.
• The CIA Triad and how it protects information assets.
• The concept of risk management and control categories.
• The difference between assets, information assets, and security techniques.

• Diagrams (CIA Triad, Risk Management Lifecycle)
• MCQs for self-assessment
• Case studies or scenarios for practice

Let me know which one you'd like next!