Security Program and Policies
Principles and Practices
by Sari Stern Greene
Chapter 2: Policy Elements and Style
*
Copyright 2014 Pearson Education, Inc.l
*
Objectives
Distinguish between a policy, a standard, a baseline, a procedure, a guideline, and a plan
Identify policy elements
Include the proper information in each element of a policy
Know how to use “plain language”
Copyright 2014 Pearson Education, Inc.l
*
Policy Hierarchy
Policies reflect the guiding principles and organizational objectives
Policies need supporting documents for context and application
Standards, baselines, guidelines, and procedures support policy implementation
The relationship between a policy and its supporting documents is known as the policy hierarchy
Copyright 2014 Pearson Education, Inc.l
*
Copyright 2014 Pearson Education, Inc.l
Copyright 2014 Pearson Education, Inc.l
*
Policy Hierarchy cont.
Standards
Dictate specific minimum requirements in policies
They are specific
Determined by management and can be changed without the Board of Director authorization
Note that standards change more often than policies
Baselines
An aggregate of implementation standards and security controls for a specific category or grouping (for example, Windows 7, smartphones, and so on)
Copyright 2014 Pearson Education, Inc.l
*
Copyright 2014 Pearson Education, Inc.l
*
Policy Hierarchy cont.
Guidelines
Suggestions for the best way to accomplish a given task
Guidelines are created primarily to assist users in their goal to implement the policy
They are not mandatory
Procedures
Method, or set of instructions, by which a policy is accomplished
A step-by-step approach to implementation
Four commonly used formats for procedures
Simple step, hierarchical, graphic, flowchart
Copyright 2014 Pearson Education, Inc.l
*
Policy Hierarchy cont.
Plans and Programs
Provide strategic and tactical instructions on how to execute an initiative or respond to a situation
Plans and programs are used interchangeably
Plans are closely related to policies
Copyright 2014 Pearson Education, Inc.l
*
Copyright 2014 Pearson Education, Inc.l
Copyright 2014 Pearson Education, Inc.l
*
Policy Format
The style and format of a policy will change based on the target audience of said policy
Identify and understand the audience
Identify the culture shared by the target audience
Plan the organization of the document before you start writing it. Will it be…
One document with multiple sections?
Consolidated policy section
Several individual documents?
Singular policy
Copyright 2014 Pearson Education, Inc.l
*
Copyright 2014 Pearson Education, Inc.l
*
Policy Components
Policy components
Policies include many different sections and components
Each component has a different purpose
Clearly identify the purpose of each element in the planning phase before the writing part starts
Copyright 2014 Pearson Education, Inc.l
*
Copyright 2014 Pearson Education, Inc.l
*
Version Control
Used to keep track of the changes to the policy
Usually identified by a number or letter code
Major revisions advance by a number or letter
1.0, 2.0, 3.0
Minor revisions advance by a subsection
1.1, 1.2, 1.3
Version control documentation includes:
Change date
Name of the person(s) making the change
Brief synopsis of the change
Who authorized the change
The effective date of the change
Copyright 2014 Pearson Education, Inc.l
*
Introduction
Provides context and meaning
Explains the significance of the policy
Explains the exemption process and the consequences of noncompliance
Reinforces the authority of the policy
A separate document for a singular policy
Follows the version control table and serves as a preface for consolidated policy
Copyright 2014 Pearson Education, Inc.l
*
Copyright 2014 Pearson Education, Inc.l
Copyright 2014 Pearson Education, Inc.l
*
Policy Headings
Identifies the policy by name and provides an overview of the policy topic or category
The format and content depends on the policy format
Singular policy includes:
Name of the organization or the division
Category, section, and subsection
Name of the author and effective date of the policy
Version number and approval authority
Consolidated policy document
Heading serves as a section introduction and includes and overview
Copyright 2014 Pearson Education, Inc.l
*
Copyright 2014 Pearson Education, Inc.l
*
Policy Goals and Objectives
What is the goal of the policy?
Introduces the employee to the policy content and conveys the intent of the policy
One policy may have several objectives
Singular policy objectives are located in the policy heading or in the body of the document
Consolidated policy objectives are grouped after the policy heading
Copyright 2014 Pearson Education, Inc.l
*
Copyright 2014 Pearson Education, Inc.l
*
Policy Statement
Why does the policy exist?
What rules need to be followed?
How will the policy be implemented?
Copyright 2014 Pearson Education, Inc.l
*
Copyright 2014 Pearson Education, Inc.l
*
Policy Statement
Hig- level directive or strategic roadmap
Focuses on the specifics of how the policy will be implemented
It’s a list of all the rules that need to be followed
Constitutes the bulk of the policy
Standards, procedures, and guidelines are not a part of the Policy Statement. They can, however, be referenced in that section
Copyright 2014 Pearson Education, Inc.l
*
Copyright 2014 Pearson Education, Inc.l
*
Policy Exceptions
Not all rules are applicable 100% of the time
Exceptions do not invalidate the rules, as much as they complement them by listing alternative situations
Language used in this section must be clear, accurate, and concise so as not to create loopholes
Keep the number of exceptions low
Copyright 2014 Pearson Education, Inc.l
*
Copyright 2014 Pearson Education, Inc.l
*
Policy Enforcement Clause
Rules and penalty for not following them should be listed in the same document
The level of the severity of the penalty should match the level of severity and nature of the infraction
Penalties should not be enforced against employees who were not trained on the policy rules they are expected to follow
Copyright 2014 Pearson Education, Inc.l
*
Administrative Notations
Provides a reference to an internal resource or refers to additional information
Include regulatory cross-references, the name of corresponding document (standard, guideline, and so on), supporting documentation (annual reports, job descriptions), policy author name and contact information
Copyright 2014 Pearson Education, Inc.l
*
Copyright 2014 Pearson Education, Inc.l
Copyright 2014 Pearson Education, Inc.l
*
Policy Definitions
The glossary of the policy document
Created and included to further enhance employee understanding of the policy and rules
Renders the policy a more efficient document
The target audience(s) should be defined prior to the creation of the glossary
Useful to show due diligence of the company in terms of explaining the rules to the employees during potential litigation
Copyright 2014 Pearson Education, Inc.l
*
Writing Style and Technique
Sets the first impression
Policies should be written using plain language
Simplest, most straightforward way to express an idea
Follow The Plan Language Action and Information Network (PLAIN) guidelines
Copyright 2014 Pearson Education, Inc.l
*
Copyright 2014 Pearson Education, Inc.l
Copyright 2014 Pearson Education, Inc.l
*
Summary
The structure of the policy documents ease the maintenance and creation of the overall document.
A successful policy sets forth requirements (standards), ways for employees to act according to the policy (guidelines) and actual procedures.
A policy is a complex set of individual documents that build upon each other to convey the message to all employees of the organization in an efficient fashion.
Copyright 2014 Pearson Education, Inc.l
*
Delivering a high-quality product at a reasonable price is not enough anymore.
That’s why we have developed 5 beneficial guarantees that will make your experience with our service enjoyable, easy, and safe.
You have to be 100% sure of the quality of your product to give a money-back guarantee. This describes us perfectly. Make sure that this guarantee is totally transparent.
Read moreEach paper is composed from scratch, according to your instructions. It is then checked by our plagiarism-detection software. There is no gap where plagiarism could squeeze in.
Read moreThanks to our free revisions, there is no way for you to be unsatisfied. We will work on your paper until you are completely happy with the result.
Read moreYour email is safe, as we store it according to international data protection rules. Your bank details are secure, as we use only reliable payment systems.
Read moreBy sending us your money, you buy the service we provide. Check out our terms and conditions if you prefer business talks to be laid out in official language.
Read more