IT Security Policy Framework

Principles for Policy and Standards Development: Two principles for policy and standards development are Least Privilege and Simplicity. Least privilege would be the same, for the most part, for any organization, by definition, you only allow people who have a need to know something to have access to sensitive information. I think the complexity of maintaining least privilege would depend on how large either organization was. In the health care system you would have to account for your local provider, probably in-network and familiar with your health care, unless you consider travelers who are ill or injured and seen remotely. There are various levels of care within the medical offices, the clerk checking you in, should be privileged to who you are, where you live, your current insurance information etc., but they should not be privileged to your specific health histmy or diagnoses. You also have to consider specialist care, in which case your records are shared outside the PCP offices. In a financial institution, again, this is somewhat dependent on how big the institution is and what services you may be using. If you just go to the bank to deposit a check into an account and take less-cash-back, the teller will have access to your name, account number and balance, but unless you are applying for a loan, no one in the bank need know what your annual salazy is or what your credit score is. If you apply for a loan, these credit history items will need to be known, by the loan officer, but the teller up front, whom you see when you cash your check, still should not have access to this historical information. With regards to simplicity, the size of the organization plays a big part again. Are we talking about Name Your City Here Savings and Loan or Navy Federal Credit Union, who in the last 20 years has opened their field of membership up from only deployed Active Duty Sailors and Marines, to anyone who has ever been in the same room with someone in the militazy or DOD? Are we talking about a State level hospital network or an isolated urgent care center? The larger the organization, the larger the field of membership or network concerned raises the risk as well as both least privilege and simplicity. Minimizing the number of persons who have access to information in all forms is critical to risk mitigation. Keeping your policies simple so they are understood, being nonredundant, which also frees people up to do their primary job as they are not continually re-reading/re-learning covered material is also critical to risk mitigation.


Read more from CIS 462 Security Strategy and Policy