Security Standards and Policy

By Jeffrey LushSep 3, 2017
Quick Read - Features

Not into reading?  No problem, view the video

We establish security standards in our environment to assist us in meeting security objectives or policies. For example, we may want to secure that transactional environment that supports our online store. Too often organizations create numerous security standards that support a specific objective, then create another set of security standards to meet objective B. The application of security standards should be universal to multiple security policies, in other words,  how I secure access to my information technology environment should be a universal principle inherited at the root of all of my security policies.  Although security standards should have a "one to many relationship" with security policies, the application of the security standard and the unique attributes that may exist within the security policy is often challenging for organizations.  Cyber security is far from a one-size-fits-all model. We must maintain flexibility to accomplish our objectives while providing standardization for predictability and consistency.  Understanding the pitfalls of cyber security is critical to success.

In addition to establishing a consistent application of security standards to meet the needs of multiple security policies, the unique implementation of the security standard may need to be augmented by the priority of the control as it relates to a specific security policy.  Leveraging a pool of security standards for our security policies will enhance an organization's ability to secure the environment more consistently.  In addition, the ability to inherit attributes of a security standard among multiple security policies for updates, maintenance,  and remediation is very powerful as well.

BAP provides a unique framework to manage your security standards. BAP is built upon the foundation that allows customers the flexibility they need to manage their security standards and policies, as well as provide validation and accountability once the standard and policy have been implemented.