Question

Attempting to make framework compliant policies is a difficult task for cybersecurity experts. However, it is well known that implementing these policies is an even more difficult task, as it takes stakeholder buy-in and understanding in order for policies to be fully realized parts of the infrastructure. Knowing this, research and discuss implementation strategies that you would use in order to ensure that the security policies that have been set are being followed and that compliance levels remain well within the standards set forth in the framework.

Answer 1

Compliance is a crucial part of any framework or security system. The basic requirement to design a compliance framework is to obtain stated policies,standards,laws,regulations,etc. Usually compliance is changing in nature. The changing rules and regulations makes the job more challenging for an organisation to maintain a well implemented compliance framework. Another challenge is the continuous expansion and extension of production environments.

A well-designed cybersecurity policy narrates which system should be in place to guard critical data against attacks. It describes the concerned authorities how they will protect organisation's data and who will be responsible.

The framework have to include information on controls such as

a) Type of security programs to be implemented

b)Management and implementation of updates and patches which will reduce chaos

c)Data Backup

An organisation should define the security policy. Security documentation should include policies,standards,guidelines,procedures.

Security policies should include organisational/ master policy, system specific policy and Issue specific policy.

* Master policy is the blueprint about the security policy of whole organization

* System specific policy defines the features of a computer like hardware, software,procedures etc.

* Issue-specific policy defines functional aspects like email policy,media disposal policy, Vulnerability management policy etc.

Overall security policy does not specify a technological solution. It specifies sets of intentions and conditions which helps to protect assets along with organise business. Security policy design is not only the responsibility of IT team but is a responsibility of every one.

Policy should clearly identify roles and responsibilities which includes

1) Issuing of policy and maintenance responsibility

2)Enforcing the policy

3)Training of users on security awareness

4)When,Who and how responds to and revolves security incidents

5)Admin rights and controls

Important steps are

*identify critical assets

*Implement Process Mangement

*Self certify Compliance

*Task & Project Managemet

*Information protection

*Security Status monitoring

*Develop remedy and mitigation