IT Examiner School - Oct 2025

Internal Use Only

Policy Framework: What are Procedures? Procedures define in detail how a policy and its supporting standards and guidelines shall be implemented as a security control in a particular operating environment. Simplistic example

Procedures: Detailed steps for

Policy: Access to company information systems is restricted to authorized users only.

accomplishing the following in Microsoft Active Directory (a technical security control) • Require users to have a unique login id • Require user passwords to be eight or more characters in length

Standard: Users are required to have a unique User ID and a confidential password.

Guidelines: Passwords should be 8 or more alpha numeric characters in length

11

These materials are for internal training purposes for NYS DFS Staff. It may not be distributed outside the department.

Internal Use Only

Elements of a Good Information Security Framework

Board & Executive Oversight

Supports the mission of the organization

Requires a comprehensive and integrated approach

Protect assets of the Organization

Protections are implemented based on risk informed decision making

Interdependencies of security controls are assessed and monitored

Cultural adoption through awareness & skills training

Roles and Responsibilities are explicit