• Policies: Mandatory, strategic intent ("What/Why"); e.g., Password Policy
• Standards: Mandatory, specific requirements ("Which"); e.g., AES-256 only
• Procedures: Step-by-step instructions ("How"); e.g., Weekly backup steps
• Guidelines: Recommendations, flexible ("Should"); e.g., VPN use while traveling
Frameworks & Regulations
• ISO/IEC 27000: International security management standards; 27001 (certifiable ISMS), 27002 (controls)
• NIST SP 800 Series: US federal guidelines; 800-53 (controls), 800-30 (risk assessment), 800-37 (RMF)
• PCI DSS: Payment Card Industry Data Security Standard; protects cardholder data
• GDPR: EU regulation; 72-hour breach notification to supervisory authority; Data subject rights
• CCPA: California Consumer Privacy Act; consumer data rights
• Multi-Jurisdiction: Organizations must comply with ALL applicable laws where they operate or where data resides (data sovereignty)
• AUP (Acceptable Use): Permitted/prohibited user activities; email, web, device usage rules
• Change Management: Minimizes disruption to dependencies; includes Review Boards (CAB), Rollout Plans (phased deployment), Backout Plans (rollback procedures), Maintenance Windows (timing to reduce impact)
• COOP (Continuity of Operations): Maintains essential functions during disruption
• BC (Business Continuity): Keeps business running (alternate sites, cross-training)
• DR (Disaster Recovery): IT/systems restoration after catastrophic event (backups, site recovery)
Documentation & Control
• Version Control: Track policy changes, ensure current version in use, audit trail for compliance
• Governance Boards: Oversight committees (steering committees) approving policy, risk appetite, and strategic security investments
Quick Checks: Change Mgmt goal = minimize disruption; GDPR = 72 hrs; Owner decides classification, Custodian manages the bits; Controller vs Processor = who decides vs who does; Standards are mandatory tech specs, Guidelines are optional advice.
• Owner: Senior manager; classifies data, approves access, liable for protection
• Controller: Entity determining purpose/means of processing (GDPR context)
• Processor: Entity processing data on behalf of controller (cloud providers, MSPs)
• Custodian: IT/admin managing backups, storage, encryption (technical controls)
• Steward: Ensures data quality, metadata accuracy, and policy implementation
• Reduces Human Error: Eliminates misconfiguration, enforces consistent baselines
• Efficiency: Repetitive tasks (provisioning, patching, log analysis) executed rapidly
• Enforcement: Automated GPO, IaC, and DLP ensure policy compliance without manual intervention
• Fatigue Reduction: SOAR/SIEM automation handles alert triage, freeing analysts for complex analysis
• Streamlining: Continuous monitoring and auto-remediation shorten implementation time and close gaps faster