What are the differences between these 5: Practice, Process, Standards, Policy, Procedure

In IT Cybersecurity World, these 5 words are consistently heavily used and there's a dependency to each one of them. If one is not constructed well, it can cause gaps and will need to re-visit again to re-construct it once more and this is always a never-ending dilemma.

How do we achieve a well-constructed Practice, Process, Standards, Policy & Procedure document that requires minimial re-work and able to execute timely & promptly in the organization?

Yes, of course, skillset & experience is required. I agree to that. However, to have the clear understanding of each one of them & to create the mind-map flow is important which it becomes the guideline to follow consistenly as it is equally important as well. It cannot be a one-off thing.

Practice

Over here, this is the common phrasse: What are the Best Security Practices?

These are classified as general, ongoing activities, habits, or methods used to maintain security, often based on established standards (like NIST or ISO), integrating & implementing security throughout the processes, not just as an afterthought.

These are my thoughts: Although it's really good to ask and find out what are the Best Security Practices which is usally provided by the Principal Vendor, Consultants, Auditors, you MUST be careful about it.

Because, these can cause mayhem, chaos, excessive configurations which later on will be deemed as unnecessary or not applicable to the business requirements and will need to

re-configure.

They are usually asked when the business is unsure on how to begin, for a reference guidance as a starting point and do not want to create custom configurations from the start.

Process

Security Process is a series of actions that's required to be carried out to achieve ONE result. Security process ensures confidentiality, integrity, and availability (CIA) being uphold at all times.

The importance of Security Process:

• Consistency: Ensures security measures/controls are applied uniformly.

• Efficiency: Security tasks are easily managed and increased productivity with automation.

• Compliance: Able to meet regulatory requirements.

• Resilience: Builds a stronger defense against evolving threats with consistent reviews and timely updates to the process to be implemented in time.
  

  

One real world scenario: Creating an account & providing access for a new employee. *** This is an example of a very high-level process to give an idea: ***

1. The first action: The new employee details are received by HR Personnel who then input into the HR System to officially onboard him/her.
   

2. The second action: In the current IT world, the HR System is integrated with the On-Premise Active Directory (AD) where an automated workflow is configured to automatically create an account in the AD.
   

3. The third action: Upon successful user account creation in the AD, next is to provision the employee's required access (birthright access) which will be automatically provisioned in an automated manner. (Eg: Email Access, Self-Service ServiceNow Portal Access, Salesforce Access, Sharepoint Access, Applications Access, System access).
   

4. The fourth action: Upon successful provisioning of the required access, an email notification will be sent to HR & to the AD Administrator.
   

5. The fifth action: On the onboarding day, the employee is able to login with the newly created account and able to access the systems & applications.

Standards

Security standards are prescriptive and mandate that organizations meet specific requirements in order to achieve compliance certification.

To achieve compliance, IT Security Frameworks, Industry Regulations, and Data Regulations adopt a broader perspective, offering best practices and guidelines that help organizations define the specific Organizational Standards they must adopt & implement to strengthen their overall security posture.

Major IT Security Frameworks: SO 27001, NIST Frameworks, CIS, MITRE ATT&CK, COBIT, PCI DSS, HIPPA, CCM Data Regulations: GDPR, CCPA, PDPA

Industrial Automation and Control Systems (IACS): IEC 62443

Some Examples of Country Specific:

• Autralia specific: AESCSF, Essential Eight https://www.dcceew.gov.au/energy/security/australian-energy-sector-cyber-security-framework https://www.cyber.gov.au/business-government/asds-cyber-security-frameworks/essential-eight
  

• Europe specific: ENISA / NIS2 https://www.enisa.europa.eu/publications/nis2-technical-implementation-guidance
  

• UK specific: NCSC CAF https://www.ncsc.gov.uk/collection/cyber-assessment-framework
  

• US specific (Energy Sector): C2M2 https://www.energy.gov/ceser/cybersecurity-capability-maturity-model-c2m2
  

Policy

A policy is a guiding principle that drive the development of security standards, controls, and measures to ensure effective governance. It also defines the rules and regulations that the organization must comply with to meet Governance, Risk, and Compliance (GRC) requirements.

It begins by:

1. identifying a problem,

2. initiating strategies for protecting its digital and physical assets, data, systems and users from threats,

3. upholding confidentiality, integrity, and availability (the CIA Triad)

4. by defining user responsibilities, access controls,

5. and enforcement measures like password policy, sharing files to external parties (disable USB), VPN access (remote office access to HQ), Website URL filtering (which websites can be visited).

• Policies define what needs protection and why, controls define how that protection happens and measures detail the how.
  

• 4 Security Controls: Deterrent, Preventive, Detective, and Corrective.

  • Deterrent Control: Warning Banner, Security Signage, Physical Security

  • Preventive Control: Least Privilege, Access Control, Firewalls, MFA, IPS

  • Detective Control: SIEM, UBEA, DLP, IDS

  • Corrective Control: Patch Management, Incident Response Plan, Forensic Analysis
    

• Security Measures: Specific actions or Implementations of those controls

  • Installing CCTV

  • Security Awareness Training

  • Facial Recgonition, Fingerprint Authentication

  • Segregation of Duties

  • Blocking of uploading specific file formats

  • Real-time session recording & monitoring of file modification

  • Analyzing of logs for unauthorized access, risky logins

  • Backing up of data daily, weekly, monthly, yearly

  • Installing patches to fix vulnerabilities

  • Qurantine systems

Procedure

Lastly, a Procedure Document which is a detailed, step-by-step set of instructions and practical "how-to" guides.

It covers everything from:

• physical security access,

• provisioning, managing, revoking user's standard & privileged access acorss IT, IoT, OT,

• responding to incidents to data breach/leak, systems/applications outage,

• providing specific actions for employees, systems, applications and processes to prevent unauthorized access, misuse, or damage

• to ensure consistent protection of assets, data, and systems by implementing an organization's security policies.

The significant importance for the Procedure Document:

• Consistency: A standardized strucured way of performing security tasks

• Compliance: Helps to meet regulatory requirements (like ISO 27001, NIST, CIS, APRA CPS 234, PCI DSS, Industry Regulations).

• Clarity: Explanation of practical actions that are needed to enforce security policies

• Auditing: Provides as a guidance to educate staff, to audit controls, and continuous improvement in security.