Lecture Notes: Policies and Procedures in Cybersecurity

Importance of Policies and Procedures

Purpose: Provide order and method for implementing security.
Types of Frameworks:
- NIST: Risk-based framework by National Institute of Standards and Technology.
- ISO/IEC: Cybersecurity frameworks for certification.
- TOGAF: Enterprise security architecture modeling.
- SABSA: Information assurance and risk analysis.
- COBIT: IT governance framework focused on security.
- ITIL: Aligns IT and business processes with a security perspective.

Prescriptive Frameworks
- Based on regulations and compliance requirements.
- Examples: COBIT, ITIL, ISO 27001, PCI-DSS.
- Measures maturity level by organization's proactive security stance.
Risk-based Frameworks
- Adapt based on organization's specific risk assessment.
- Examples: NIST Cybersecurity Framework.
- Focus on continuous improvement and real-world application.

Major Elements:
- Acceptable Use Policy (AUP)
- Code of Conduct/Ethics
- Privacy Policies
- Data Ownership and Classification
- Backup and Destruction Policies
- Job-related Security Functions

Definition: Step-by-step instructions for security operations.
Types of Procedures:
- Compensating Controls
- Continuous Monitoring
- Documentation
- Control Testing
- Change Management
- Patching and Updating
- Technology Retirement
Exceptions Handling:
- Documentation of reasons and personnel involved.
- Risk assessments and duration of exceptions.

Security policies and procedures are crucial for mitigating human risks in cybersecurity.
Frameworks and procedures help organizations implement structured and effective security measures.
Understanding different frameworks and procedures is essential for exams and practical cybersecurity applications.