Understanding processes and documentation

- If you're in a high stake situation you're going to want to know exactly what to do and have somewhat of a playbook to follow, right? That's the kind of stuff that makes processes and documentation so important. In addition to all the lower stake situations you may encounter where you need to leverage this information as well. Processes are when you take certain actions to get a defined end goal. In security, having the right processes in place ensures that people know what actions need to be taken in order to achieve the same set of results, like securing the company and its assets. CIA stands for confidentiality, integrity and availability and is a well known model within cyber security. Confidentiality is the work done to keep data secure within the company environment. Integrity equates to trusted, which means the data is reliable and verified. And finally, availability means that the data is available to authenticated users as needed. Another well known area of process is policy. And it is often hard for people to distinguish when a policy is needed versus a procedure, standard or guideline. For example, policies are usually broad in general and don't need updating nearly as often. Whereas procedures are more detailed, step-by-step instructions that may need more frequent updating as requirements change. A policy is defined as a formal statement that needs to be followed by a defined audience. This is usually high level, and doesn't go into the weeds with details. A procedure on the other hand is a detailed document with step-by-step instructions on how to comply with the related policy. Typically, a policy is written first to define the statement and the procedure follows with much more description on the rules to follow to achieve the statement within the policy. Standards also accompany a policy and may be related to an industry standard or an internal company defined technology standard. A policy will determine whether the standard is mandatory or voluntary as well as which groups need to follow the standard. A guideline sets itself apart in that it provides general guidance related to the policies, procedures and standards. It is often more generalized and spelled out in more layman's terms to assist various audiences that the policy may not specifically apply to, but may need knowledge of. While a company will develop their own internal policies, procedures, standards, and guidelines, there are also state and federally mandated cyber security controls and frameworks. These frameworks provide detailed instructions for how to maintain a secure environment and many companies, even if not mandated, will strive to align their requirements with various industry controls and frameworks as best practice. Some of the most well known are GDPR, HIPAA and PCI. After the documentation is in place, you will need to test implementation to verify everything is being followed properly. This is called a security audit. It can be managed internally or externally. This audit is a deep dive into the documentation to confirm that the organization is adhering to the requirements they have established regarding policies, procedures, standards, and guidelines.