Security Basics Lesson 7 – Security Policies & Procedures | Dataplexa

Security Basics

I. Core Security Fundamentals
1. What is Cybersecurity 2. Why Cybersecurity Matters 3. Types of Cyber Threats 4. Vulnerabilities, Risks & Exploits 5. CIA Triad 6. Authentication vs Authorization 7. Security Policies & Procedures 8. Defense in Depth 9. Security Best Practices 10. Introduction to Security Careers
II. Systems, Network & App Security
11. OS Security Basics 12. Linux Security Fundamentals 13. Windows Security Fundamentals 14. Network Security Basics 15. Firewalls & Access Control 16. Secure Network Architecture 17. Application Security Basics 18. Web Security Fundamentals 19. Security Misconfigurations 20. Security Hardening Basics
III. Threats, Attacks & Prevention
21. Malware Types & Analysis 22. Phishing & Social Engineering 23. Password Attacks & Protection 24. Insider Threats 25. Denial of Service Attacks 26. Man-in-the-Middle Attacks 27. Web Application Attacks 28. Data Breaches & Case Studies 29. Security Monitoring Basics 30. Incident Response Introduction
IV. Governance, Risk & Real World
31. Risk Management Basics 32. Security Compliance Overview 33. ISO 27001 Fundamentals 34. SOC & Security Operations 35. Logging & Auditing 36. Security Tools Overview 37. Cloud Security Basics 38. Security Automation 39. Security Best Practices Checklist 40. Mini Project – Security Assessment
Section I · Lesson 7

Security Policies & Procedures

This lesson covers

Policy vs procedure vs standard vs guideline → The documents every security programme needs → Acceptable use, password, and incident response policies in practice → Policy failures that caused real breaches → Enforcing policy without making it unworkable

When the Uber breach of 2022 was investigated, one detail stood out: the attacker got in by posing as an IT support person and convincing an employee to hand over their credentials via WhatsApp. No zero-day. No advanced malware. Just a gap between what the security policy said and what employees actually did when pressure was applied. The policy existed. The enforcement didn't. That gap is what this lesson is about.

Policy, procedure, standard, guideline — four different things

These four terms get used interchangeably in most organisations. They shouldn't. Each operates at a different level and serves a different purpose, and conflating them produces documents that are simultaneously too vague to follow and too rigid to be practical.

A policy is a high-level statement of intent. It says what must happen, not how. "All user accounts must be protected by multi-factor authentication." That's a policy. It sets the requirement. It doesn't specify which MFA solution to use.

A standard translates a policy into specific, measurable requirements. "MFA must use TOTP-based authenticator apps or hardware keys. SMS-based MFA is not permitted for privileged accounts." That's a standard. It gives the policy teeth.

A procedure is the step-by-step operational instruction. "To enrol in MFA: open the authenticator app, tap Add Account, scan the QR code displayed in the admin portal, enter the six-digit code to verify." That's a procedure. It tells people exactly what to do.

A guideline is a recommendation — not mandatory, but advised. "It is recommended that employees use a dedicated authenticator app rather than adding accounts to a personal password manager." Guidelines acknowledge that not every situation fits a rigid rule.

Policy

"What" must happen. High-level, mandatory, approved by leadership. Changes rarely.

Standard

"How much / how specific." Measurable requirements that implement a policy. Mandatory.

Procedure

"Step by step." Operational instructions for completing a task. Mandatory where they exist.

Guideline

"Recommended." Best practice advice. Not mandatory — gives flexibility where rigid rules don't fit.

The core policies every programme needs

Organisations of any meaningful size need a base set of security policies. These aren't optional paperwork — they're the documented agreements between the organisation and its people about what's acceptable, what's required, and what happens when things go wrong.

Acceptable Use Policy (AUP) defines what employees can and cannot do with company systems, devices, and networks. Can they use company laptops for personal use? Can they access personal email from a work machine? Can they install software without IT approval? Without an AUP, every one of those questions is answered differently by every employee — and the organisation has no recourse when something goes wrong.

Password Policy sets the rules for credential creation and management. Minimum length, complexity requirements, rotation schedules, prohibition on reuse, requirements for MFA. A password policy that requires 8-character passwords with one uppercase letter and one number is not a security control — it's theatre. Modern guidance from NIST recommends length over complexity and drops forced rotation unless compromise is suspected.

Incident Response Policy establishes what counts as a security incident, who gets notified, and what the response process looks like. Without one, an organisation that discovers a breach spends the first critical hours arguing about who's responsible, who should be told, and whether to call the vendor or legal first. That argument costs time that could be spent containing damage.

Data Classification Policy defines categories of data and the handling requirements for each. Public, internal, confidential, restricted — or whatever labels the organisation uses. It answers the question every employee unconsciously asks when handling data: does this need to be encrypted? Who can I share it with? Can I store it on my personal device?

Access Control Policy governs how access to systems and data is granted, reviewed, and revoked. It's the policy layer above the technical controls. It should specify that access follows least privilege, that it's reviewed periodically, and that it's revoked immediately when an employee leaves. Most organisations do the first two inconsistently and forget the third entirely.

Leavers with live accounts

One of the most consistently exploited gaps in access control is the failure to revoke accounts when employees leave. A 2023 survey found that over 40% of IT professionals admitted former employees still had active access to company systems after their departure. Some of those accounts sit dormant. Others get used — by the former employee, or by an attacker who finds the credentials later. An access control policy that requires immediate deprovisioning on the day of departure, enforced through an offboarding checklist, closes this entirely.

Policy without enforcement is decoration

A policy document sitting in a shared drive that nobody reads is not a security control. It's liability coverage — evidence that the organisation knew what should be done and chose not to enforce it. The gap between policy and practice is one of the most consistent findings in security audits, and it's almost always the result of one of three failures.

Policy isn't communicated. Employees never read the acceptable use policy they signed during onboarding. Training happens once at hire and never again. When a security incident occurs, investigation reveals that the relevant policy existed — employees just didn't know it, or had forgotten it three years later.

Policy isn't technically enforced. The password policy says passwords must be at least 14 characters, but the system accepts 6. The acceptable use policy prohibits personal USB drives, but no endpoint control blocks them. Written rules without technical controls are social contracts — and social contracts break under pressure.

Policy isn't practical. If following the policy makes it significantly harder to do the job, people find workarounds. A password policy that requires a new complex password every 30 days produces passwords written on sticky notes. A policy that blocks all external file sharing produces a shadow IT ecosystem of personal Dropbox accounts. Unusable security gets bypassed. The bypass is always worse than a better-designed policy.

A password policy — compliant vs effective

Password policies are the easiest place to see the difference between a policy written to pass an audit and one written to actually work. Here's what that contrast looks like in a real configuration file:

# /etc/security/pwquality.conf

# ── OUTDATED APPROACH ── looks compliant, produces weak passwords
# minlen = 8
# dcredit = -1      # at least 1 digit
# ucredit = -1      # at least 1 uppercase
# lcredit = -1      # at least 1 lowercase
# ocredit = -1      # at least 1 special character
# maxrepeat = 3
# Result: users write "Password1!" on a Post-it note and rotate it
# to "Password2!" next month. Technically compliant. Practically useless.


# ── NIST SP 800-63B ALIGNED APPROACH ── length beats complexity
minlen = 16           # Minimum 16 characters
maxrepeat = 3         # No more than 3 consecutive identical chars
gecoscheck = 1        # Reject passwords containing the username
dictcheck = 1         # Reject passwords found in common word lists
# No forced rotation — rotate only on confirmed or suspected compromise
# Pair with: haveibeenpwned API check at password set time

What just happened

NIST's guidance since 2017 has been clear: complexity rules produce predictable patterns that humans game systematically. An attacker running a password cracker already accounts for capital-first, number-at-end, and special-character substitution. A 16-character passphrase — correct-horse-battery-staple — is both easier for a human to remember and exponentially harder to brute-force than P@ssw0rd1!. A policy that people can actually follow is more effective than one they circumvent.

Policy review — keeping documents alive

A policy written in 2019 and never reviewed is almost certainly wrong in some way by now. Threat landscapes shift, technology changes, regulations evolve, and the organisation itself grows in ways that the original authors didn't anticipate. Policies need an owner, a review cycle, and a version history.

Annual review is the standard minimum for most policies. After a significant incident, review immediately — the incident almost certainly revealed a gap that the policy needs to address. After a major regulatory change (new data protection law, new compliance requirement), review any policy that touches the affected area.

Version control for policy documents is not bureaucracy — it's essential. When an auditor asks whether a policy was in place at the time of an incident, you need to be able to prove what version existed and who approved it. A shared document with tracked changes and approval signatures does this. A Word file emailed around and saved in three different versions on two different drives does not.

Instructor's Note

The best-run security programmes treat policies the way developers treat code — they have owners, version control, review cycles, and they get updated when reality changes. The worst-run programmes have a folder full of PDFs last modified in 2017 that nobody has read since the audit that produced them. If your security policies would embarrass you if a regulator read them tomorrow, that's the work. Not a new tool, not a bigger budget. The work is making the documents match what actually happens — or making what actually happens match the documents.

Practice Questions

A document states: "Passwords for privileged accounts must be a minimum of 20 characters and must not appear in the HIBP breach database." This is a specific, measurable requirement implementing a broader policy. What type of document is it?




An organisation's document defines what employees can and cannot do with company devices, networks, and data — including rules about personal use, software installation, and removable media. What is this document called?




NIST SP 800-63B guidance recommends prioritising password ________ over complexity rules, because complexity requirements produce predictable patterns that attackers already account for.



Quiz

An organisation's AUP prohibits personal USB drives, but no endpoint software blocks them. An employee uses a personal drive to exfiltrate data. What policy failure does this represent?



A security team removes monthly forced password rotation from their policy, replacing it with rotation only on confirmed compromise. A manager objects, saying more frequent changes must be safer. Which argument best supports the team's decision?



An auditor asks a security team to prove which version of their incident response policy was active during a breach six months ago. Which elements of policy management would allow them to answer this definitively?


Up Next · Lesson 8

Defense in Depth

One control failing shouldn't mean game over — the architecture that makes sure it doesn't.

← Previous Course Index Next →