CISSP prep: Security policies, standards, procedures and guidelines

Information security is one of the most important elements driving the success and longevity of organizations. Trained and knowledgeable information security professionals have become must-haves for organizations that want to remain competitive. 

The CISSP certification, which is vendor-neutral and supported by the International Information System Security Consortium or ISC2, is a powerful certification that information security professionals should obtain if they want to keep in step with the ever-evolving threat landscape. Security managers, security consultants, security analysts, IT directors, security architects and security systems engineers, among others, should earn a CISSP certification to boost their hiring and promotion prospects. 

For more CISSP exam prep and tips, get our free CISSP exam tips ebook, or watch our free one-hour CISSP exam tips course with an instructor whose students have a 95% pass rate. 

Earn your CISSP, guaranteed!

Get live, expert CISSP training from anywhere. Enroll now to claim your Exam Pass Guarantee!

Get Pricing

Why is this important for the CISSP? 

Organizations, particularly those in upper management and governance, need to create security policies that clearly establish the role and importance of security.  

There are also key guidelines and factors to be considered when creating these policies. For instance, they should ensure that the organization's terminology isn't laden with technical jargon, is easy to understand, and clearly states its security-related mission statement and business objectives. Moreover, these policies should be forward-thinking and should be reviewed and updated whenever there are significant changes within the organization. 

The CISSP exam is known for its broad and diverse questions. It focuses on eight domains, namely, Security and Risk Management, Asset Security, Security Architecture and Engineering, Communication and Network Security, Identity and Access Management, Security Assessment and Testing, Security Operations and Software Development Security. 

Interested parties should take time to carefully study and understand the various subjects and topics the exam covers. Some of the exam's toughest topics include “Security Policies, Standards and Procedures, and Guidelines,” which fall under the Security and Risk Management domain. 

What types of security policies does the CISSP exam cover? 

There are three different types of security policies covered in the exam: regulatory, advisory and informative. It's crucial to understand what each entails deeply. 

• Regulatory. A regulatory policy is designed to make sure the company or organization strictly follows standards established by specific industry regulations. Regulatory policies usually apply to public utilities, financial institutions and other organizations that function with public interest in mind. 
• Advisory. This type of policy works by strongly advising the employees of an organization about which activities and behaviors are allowed or prohibited according to the organization's own internal standards. Though the tenets under this type of policy may not be mandatory in nature, there may still be serious consequences if they're violated. In some organizations, disciplinary measures begin with serious warnings and progress all the way to termination. 
• Informative. This type of security policy simply aims to inform employees and stakeholders about what's expected of them and the risks the organization faces. A common example is security awareness training, where employees learn about using strong passwords and other forms of good cybersecurity hygiene, as well as common threats, such as malware and phishing. 
• Organizational Policy. This can be considered as the blueprint of the organization's security program. It includes the strategic plan guiding how the organization should implement its security procedures and guidelines for its computer systems. 
• System-Specific Policy. This type of policy deals with a particular individual computer system or software. It's designed to teach employees how to safely use and protect a specific computer system or solution. 
• Issue-Specific Policy. Lastly, this policy zooms in on a particular functional element that needs more focused attention. Organizations create a policy that specifically covers the level of security needed, how it works, and, if necessary, the tools involved in its implementation. Some common examples include email policies, change management policies, encryption policies, access control policies and vulnerability management policies, to name a few. 

Security standards in the CISSP exam  

One of the eight CISSP domains included in the exam is Security and Risk Management, which includes security standards. Standards are more specific than policies and are considered to be tactical documents, which present more detailed steps or processes that are necessary to meet a specific requirement. 

Security standards are vital in organizations because they formalize important cyber-safety measures. Often, a standard sets a mandatory requirement, such as applying encryption to all email communications. 

Guidelines and procedures: What you need to know 

Another important Security and Risk Management element is Guidelines and Procedures. How are these defined, and what are the similarities and differences between policies, procedures, standards and guidelines? To get a clearer understanding of these terms within the context of information security, let's take a look at their respective definitions. 

Earn your CISSP, guaranteed!

Get live, expert CISSP training from anywhere. Enroll now to claim your Exam Pass Guarantee!

Get Pricing

Guidelines 

A guideline is a statement in a procedure or policy that determines a specific route or course of action. It could come in the form of a recommendation or suggestion regarding how things should be done. It's also flexible and amenable to changes, depending on the situation. Information security professionals may confuse guidelines with best practices, so it's imperative to note that the two serve two different purposes. Guidelines determine a recommended course of action, while organizations use best practices to provide examples of methodologies that have worked in the past. 

Procedures 

Procedures are the most specific type of security document. They are characterized by a detailed, step-by-step approach to implementing security standards and guidelines that support the organization's policies. 

Procedures are often used to decide how to configure operating systems, network hardware and databases. Furthermore, procedures are useful in teaching how to add new software, systems and users. Since organizations differ, procedures will, likewise, vary from one company to another. However, there are certain types of procedures that most, if not all, organizations use, such as the following: 

• Incident response – These procedures tell team members how to detect an incident and respond accordingly. It often includes a step-by-step guide as to when management, as well as external parties like law enforcement agencies, should intervene. 
• Auditing – Since auditing is an integral and sensitive matter, procedures should include details on what to audit, why the audits are being done, and how to maintain the audit logs. 
• Environmental/Physical – Examples of environmental/physical procedures include the protection of Ethernet cables by keeping them safe from wiretapping and controlling the room temperatures where the organization stores temperature-sensitive equipment. 
• Administrative – This type of procedure helps distinguish and separate the tasks and duties of employees who are directly in charge of the organization's systems. A common example is making sure database administrators don't meddle with the company's firewall logs. 
• Configuration – Configuration procedures direct how to set up operating systems, firewalls, routers, software and other core elements of the organization's IT infrastructure. 

Procedure implementation 

After creating procedures, the next step is implementing them. Implementation starts with a commitment from upper management and continues on to every employee of the organization. They're mandated to take the policies seriously, ideally inspired by how leadership gets behind each security initiative. It is a must for everyone in the organization to be aptly trained in maintaining the policies. Training should be administered regularly, with a complete and concise training program. 

Policy/standard procedure hierarchy 

When discussing Policies, Standards and Procedures, there is a hierarchy through which the relationships among the three are broken down in detail. It should be noted that two schools of thought present two different approaches that organizations can use to pattern their information security initiatives. 

The first approach involves placing standards at the top of the hierarchy. This aims to establish technology as a constant regardless of how the organization's policies evolve. 

On the other hand, the second school of thought puts policy over standards. In other words, the organization's requirements determine the type of technology it uses. In this case, the standards depend on the requirements that are outlined in the policy. 

In CISSP, the policy comes above standards. For example, email and internet policies remain the same regardless of how the organization changes its email and internet technology. 

Standards follow policies and establish mandatory, quantifiable controls. Procedures follow, presenting a series of detailed steps designed to accomplish specific objectives. 

Lastly, guidelines provide additional advice about how to act or react in a certain situation. They're often recommended but not mandatory, such as guidelines around screening employee's qualifications. 

In a nutshell, a policy aims to identify the issue and scope. It answers the question, "Why do I need to do this?" 

A standard assigns quantifiable measures and deals with the question, "What is required?" On the other hand, procedure establishes the proper steps to be taken and answers the question, "How do I do it?" 

Guideline provides recommended guidance to make it easier to meet the requirements of policies, standards and procedures. 

Earn your CISSP, guaranteed!

Get live, expert CISSP training from anywhere. Enroll now to claim your Exam Pass Guarantee!

Get Pricing

Summary 

The CISSP exam covers eight different domains, and the exam taker is responsible for covering all domains and their respective sub-topics. Months before taking the exam, test takers can prepare using books, exam guides, videos and forums that cover not only security and risk management bu t also the seven other domains. Taking online practice exams and watching video reviews online is also advisable. 

As far as having the right approach, you should try to master the hierarchy of Policies, Standards and Procedures and identify the types of risks, threats and challenges that affect each one of them. Moreover, familiarize yourself with examples of each type of security policy to avoid confusion and mix-ups while taking the exam. 

Policies, standards, procedures and guidelines all play integral roles in security and risk management. Understanding their complexities empowers cybersecurity professionals to perform their tasks at a high level, which is necessary for protecting data and systems from threats. 

To dive deeper into the CISSP exam, you can use our CISSP exam tips and tricks ebook, which guides passing the test. You can also refer to the CISSP training hub, which gives you more detailed information about how the exam works and its contents. And for a focused, deep understanding of the test, you can enroll in a CISSP Boot Camp. 

Are you pursuing a full-time career in cybersecurity? If so, you'll find our Cybersecurity salary guide and Cybersecurity certifications and skills ebooks useful as you plot your journey.