Chapter 105 · Security Program Management

Security Policies

Acceptable use, business continuity, disaster recovery, incident response roles, software development lifecycle, and change management — the policy framework that defines what security controls are required and why.

Confidential
Report ID: SP-2024-001Domain: Security Program ManagementTopic: AUP, Business Continuity & Disaster Recovery

Acceptable Use, Business Continuity, and Disaster Recovery Policies

Security policies are the foundational documents that define what an organization requires regarding security. Policies state what must be done and why. Technical controls implement how the policy requirements are met. Without policies, technical controls lack authority and enforceability.

Policy = what + why. Technical controls = how. Policies must exist before technical controls can be justified, enforced, or audited against.

Information Security Policy

The information security policy (sometimes called the master security policy) is the top-level document that establishes the organization's commitment to security. It defines: the scope of security requirements across the organization; roles and responsibilities for security; management's commitment and support; consequences for non-compliance. All other security policies derive their authority from the information security policy. This policy is owned by senior management and approved at the executive or board level.

Acceptable Use Policy (AUP)

An acceptable use policy (AUP) defines what employees and other users are permitted to do with organizational information systems, networks, and data. The AUP covers:

Legal liability limitation: The AUP is a critical legal document. By establishing clear rules and requiring employee acknowledgment (signature), the organization limits its legal liability when violations occur. If an employee commits an illegal act using organizational systems and the organization had no AUP, the organization may bear greater liability for enabling the conduct. An acknowledged AUP creates a documented notice that the conduct was prohibited.

Business Continuity Planning (BCP)

Business continuity planning addresses how the organization will maintain critical business functions when normal operations are disrupted. BCP is broader than disaster recovery — it focuses on keeping the business running during a disruption, not just recovering IT systems after one.

Disaster Recovery Plan (DRP)

A disaster recovery plan is a subset of BCP that specifically addresses IT system restoration after a disaster. Disasters covered include natural disasters (earthquake, flood, hurricane), technological disasters (data center fire, major equipment failure, ransomware), and human-caused disasters (sabotage, terrorism).

Confidential
Report ID: SP-2024-002Domain: Security Program ManagementTopic: Incident Response Roles & NIST 800-61

Incident Response Roles and NIST SP 800-61

Why Roles Must Be Policy-Defined

During an active security incident, there is no time to determine who should do what. Roles, authorities, and responsibilities must be defined in policy before incidents occur. Without pre-defined roles, incidents produce confusion, duplicated effort, missed tasks, and delayed decisions — all of which benefit the attacker and extend the damage window.

Five Incident Response Roles

RoleResponsibilities
IR Team (technical responders)Detect, contain, analyze, and eradicate the incident. Execute technical response procedures. Collect evidence. Own the technical aspects of the response.
IT Security ManagementCoordinate the overall response. Escalate to senior management when scope or impact requires. Approve containment and recovery decisions that affect business operations.
Compliance OfficersEnsure the response meets regulatory requirements. Manage mandatory breach notifications (GDPR 72-hour notification, HIPAA notification requirements). Document compliance-relevant decisions.
Technical Staff (non-IR)Provide system access, technical knowledge, and operational support during response. May be subject matter experts for specific systems being investigated.
User CommunityReport suspicious activity, follow security instructions during the incident (e.g., "do not use email"), and cooperate with responder requests. Often the first to notice an incident.

NIST SP 800-61 and the Incident Response Lifecycle

NIST SP 800-61 (Computer Security Incident Handling Guide) provides the framework for incident response that the Security+ exam tests. The four-phase lifecycle:

  1. Preparation: Establish policies, build the team, assemble tools (go bag), document baselines, create contact lists. Everything that must exist before an incident occurs.
  2. Detection and Analysis: Identify and characterize potential incidents. Determine whether events constitute an incident. Analyze scope and impact.
  3. Containment, Eradication, and Recovery: Stop the spread (containment), remove the threat (eradication), restore operations (recovery).
  4. Post-Incident Activity: Lessons learned, timeline reconstruction, policy and procedure updates based on findings.
NIST SP 800-61 is a specific framework for incident handling. NIST CSF (Identify/Protect/Detect/Respond/Recover) is a different framework for overall cybersecurity program management. Do not confuse them on the exam.
Confidential
Report ID: SP-2024-003Domain: Security Program ManagementTopic: SDLC & Change Management

Software Development Lifecycle and Change Management

Software Development Lifecycle (SDLC)

Security policies must address how software is developed and deployed. The SDLC policy ensures security is integrated into development, not bolted on after the fact. Two primary methodologies:

MethodologyCharacteristicsSecurity Considerations
AgileIterative, short development cycles (sprints, typically 2 weeks). Working software delivered frequently. Requirements evolve. Cross-functional teams.Security must be integrated into each sprint. Frequent releases mean frequent deployments — security testing must keep pace. DevSecOps applies security automation in CI/CD pipelines.
WaterfallLinear phases: Requirements → Design → Implementation → Testing → Deployment → Maintenance. Each phase completes before the next begins. Well-documented, predictable timeline.Security requirements must be captured in the Requirements phase; retrofitting security into later phases is expensive. Formal security review at each gate.

Security policy for SDLC typically mandates: security requirements must be included in project requirements; security testing (SAST, DAST, penetration testing) must be completed before production deployment; security sign-off is required before release.

Change Management Policy

Change management policies govern how changes to IT systems and infrastructure are proposed, reviewed, approved, and implemented. Uncontrolled changes are a significant security risk: a misconfigured firewall rule introduced without review can open a major vulnerability.

Change management policy elements:

Change management policy prevents "unauthorized change" from being a root cause of security incidents. An undocumented change that introduced a vulnerability may never be detected until the vulnerability is exploited.

The CIA Triad Foundation

All security policies are ultimately justified by the CIA triad: Confidentiality (information is only accessible to authorized parties), Integrity (information is accurate and unmodified), and Availability (information and systems are accessible when needed). Each policy can be traced back to protecting one or more of these three properties. The AUP protects confidentiality and integrity. The BCP/DRP protects availability. Incident response policies protect all three by enabling rapid response when CIA is threatened.