Mapping the IT Security Policy Framework Definitions to the Seven Domains of a Typical IT Infrastructure
The IT security policy framework includes policies, standards, and guidelines. Each of these includes technology, processes, and personnel. The seven domains of a typical IT infrastructure need to be mapped into the framework. The seven domains of a typical IT infrastructure are as follows:
-
User Domain
-
Workstation Domain
-
LAN Domain
-
LAN-to-WAN Domain
-
WAN Domain
-
Remote Access Domain
-
System/Application Domain
In some cases, policies might be very specific to only a single domain. For example, the User Domain maps specifically to human resources security. This encompasses controls relating to items such as pre-employment background checks and information security awareness and training. The seven domains also map across various high-level areas. Examples include access control and operations management.
Standards further help align the seven domains to the security policy. This includes, for example, access control requirements for networks, users, applications, and operating systems. Just as IT infrastructure needs to be organized within a policy framework, the infrastructure needs to be considered within the framework used for an audit.
The IT universe includes all the auditable resources or components within an organization. Naturally, the seven domains of typical IT infrastructure are a large part of this IT universe. The IT universe may be defined as one or more domains of IT infrastructure or even a portion of a single domain. In addition, the IT universe may describe specific entities, locations, functions, or processes within the organization.