Cyber Security Policy Guidebook Notes

Cyber Security is the ability to control access to systems, networks and the
information and data in them
Role of a professional is to plan for potential attacks and prevent them
Applies to both physical systems and networks
The cyberspace is considered to be a fourth domain of nations
Specific goals:
-Prevent, detect, respond prevent all possible attacks (impossible), detect
ongoing ones and respond to those in order to keep the system and network safe
(includes repairing any damage left)
-People, process, technology routines the operators must follow in order to
keep technology working in optimal performance and as safely as possible
(collectively act, prevent social engineering)
-confidentiality, integrity, and availability ensure the authorization,
authenticity and precision of information

The Cyber Security Policy

Addresses the tension between cyber functionality and security with the objective of
achieving the maximum possible productivity
Regulations to concerning information distribution, protection and safety
There might be variations in the security policy from a company to another, a state
to another or a country to another. Dictate by
Laws and regulations: State lvl not always stablished through formal written
laws, but through reports and speeches that later might see themselves put
into a law
The US regulations on cyber security were not meant to be specifically
for cyber security issues, but emerged from policy enforcement laws
Enterprise policy: Companies: rules are usually formed in a more active
manner than governmental rules. They are meant to be followed upon thread
of sanction. Risks are usually assessed to mid-level managers. Employees
must make sure they comply with the legal and regulatory requirements; and
recommend their clients to model processes around them process
execution in specific ways.
Nowadays, technology is implemented using software and devices that
enforce security, taking reference from the specified standard.

Strategy versus Policy:

-The policy articulates the strategy to be followed in order to archieve the
cyber security goals and its constituents. This does not mean, however, that the
policy dictates an implementation standard; only that it sets the guidelines for the
implementation. A strategy may be anywhere from software implementation to an
awareness campaign and/or workshop

A policy should be flexible and open to change; revisited every time a situation
changes. However, it should be robust enough to withstand the ever-increasing
changes in technology and the growing desire of executives to expand their
productivity