Introduction

We often talk about multi-layered security or the installation of MFA (multi-factor authentication) in our enterprise systems. However, do we know what joins the dots in the process of cybersecurity and Security Policy Framework?

The Security Policy Framework.

As the name states, it is a set of tasks or frameworks at the core of every enterprise’s security. It begins with the leader’s choices in regards to what he wants to protect and how. These requirements are then fulfilled by the IT department and deployed in every enterprise system to complete the security circle in the organization.

Block Diagram

Steps to Establish a Working Security Policy Framework

As illustrated in the bottom-top pyramid above, the framework begins with policy and ends with a discretionary action of inputting guidelines to maintain the framework’s efficiency.

Policy: No policy, no framework. Policies are a reciprocation of the company’s or leader’s security goals and ambitions. Policies can be divided into different specialized sections such as issue-specific,  system-specific, and organization-specific. Each organization also has

Standards: When policies are in place, the company would need to have a working model to make sure the policies are deployed rightfully in accurate systems or networks. Thus, in a nutshell, policies tell you what needs to be done, standards elaborate particular clauses, meanings, and translations of the policies which lead into the procedures.

Procedures: In this framework, procedures must be followed vividly as it mainly renders how to establish a working security environment in the organization. It is known as the most explanatory section of the section as it provides a step-by-step walkthrough, which the IT team must implement to complete the framework.

Guidelines: This section of the documentation and framework specifies what one (associated with the enterprise) must not do, which could jeopardize the framework itself. There is always room for improvements, and implementing the guidelines is often not mandatory as the enterprise must have their processes established, which do not maintain the guidelines but enhance the cybersecurity in the company.