Guidelines, policies (AUP, info security, BC/DR, IR, SDLC, change mgmt)

5.1 Security governance

📘CompTIA Security+ (SY0-701)

Security governance is the framework of rules, processes, and policies that guide how an organization protects its information and IT systems. It ensures that security efforts align with business objectives, comply with regulations, and minimize risk.

Security governance is made up of guidelines and policies. Both are important, but they serve slightly different purposes:

  • Policies are official rules that must be followed.
  • Guidelines are recommendations or best practices that help implement policies but are more flexible.

Key Types of Policies in IT Security

Here are the main policies you need to know for the exam, along with simple explanations:

1. Acceptable Use Policy (AUP)

  • Purpose: Defines what employees can and cannot do on company devices or networks.
  • Example in IT: Employees are allowed to access only company-approved websites and must not install unauthorized software on company laptops.
  • Exam Tip: Know that violating an AUP can result in disciplinary action.

2. Information Security Policy

  • Purpose: High-level rules about how to protect company data.
  • Example in IT: Passwords must be at least 12 characters and use a mix of letters, numbers, and symbols; sensitive data must be encrypted at rest and in transit.
  • Exam Tip: This is the overarching policy that covers confidentiality, integrity, and availability (CIA triad).

3. Business Continuity (BC) / Disaster Recovery (DR) Policy

  • Purpose: Ensures critical IT systems continue running during a disruption and can be restored afterward.
  • Example in IT: If a data center fails, services automatically failover to a backup data center. Regular backups must be tested weekly.
  • Exam Tip: BC focuses on keeping the business running, DR focuses on recovering IT systems after a disaster.

4. Incident Response (IR) Policy

  • Purpose: Provides a structured approach to respond to security incidents.
  • Example in IT: If a malware infection is detected, employees report it to the security team immediately. The security team follows a predefined incident response plan to contain, eradicate, and recover.
  • Exam Tip: Know the phases of IR: preparation, identification, containment, eradication, recovery, lessons learned.

5. Software Development Life Cycle (SDLC) Policy

  • Purpose: Provides security guidance during software development.
  • Example in IT: Developers must perform code reviews, implement secure coding practices, and test for vulnerabilities before releasing software.
  • Exam Tip: Security must be integrated from the start of development, not just after deployment.

6. Change Management Policy

  • Purpose: Ensures all changes to IT systems are reviewed, approved, and documented to prevent unexpected problems.
  • Example in IT: Before updating a company server, the change must be logged, tested in a staging environment, and approved by IT management.
  • Exam Tip: Helps prevent downtime and security gaps caused by unapproved changes.

Guidelines vs Policies

FeaturePolicyGuideline
DefinitionMandatory rulesRecommended best practices
FlexibilityLow (must follow)High (can adapt)
ExamplePasswords must be changed every 90 daysUse a password manager to help manage complex passwords

Exam Tip: Questions may ask about the difference between guidelines and policies—remember: policies = rules, guidelines = advice.

Why These Policies Matter for Security Governance

  1. Consistency: Everyone in the organization knows what is expected.
  2. Compliance: Helps meet laws and regulations (like GDPR, HIPAA).
  3. Risk Reduction: Reduces likelihood of data breaches, downtime, or other incidents.
  4. Auditability: Auditors can verify that security controls are in place and followed.

✅ Summary

  • Security governance ensures IT security aligns with business goals.
  • Policies are mandatory rules; guidelines are recommended practices.
  • Important policies include:
    • AUP – proper use of IT resources
    • Information Security – protecting data
    • BC/DR – keeping business and IT running
    • IR – responding to security incidents
    • SDLC – secure software development
    • Change Management – controlled IT changes
  • Governance policies help ensure compliance, reduce risk, and provide structure.

Leave a Reply

Your email address will not be published. Required fields are marked *

Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by