Power point assignment

Chapter2.ppt

Security Program and Policies
Principles and Practices

by Sari Stern Greene

Chapter 2: Policy Elements and Style

Objectives

Distinguish between a policy, a standard, a baseline, a procedure, a guideline, and a plan
Identify policy elements
Include the proper information in each element of a policy
Know how to use “plain language”

Policy Hierarchy

Policies reflect the guiding principles and organizational objectives
Policies need supporting documents for context and application
Standards, baselines, guidelines, and procedures support policy implementation
The relationship between a policy and its supporting documents is known as the policy hierarchy

Policy Hierarchy cont.

Standards
Dictate specific minimum requirements in policies
They are specific
Determined by management and can be changed without the Board of Director authorization
Note that standards change more often than policies
Baselines
An aggregate of implementation standards and security controls for a specific category or grouping (for example, Windows 7, smartphones, and so on)

Policy Hierarchy cont.

Guidelines
Suggestions for the best way to accomplish a given task
Guidelines are created primarily to assist users in their goal to implement the policy
They are not mandatory
Procedures
Method, or set of instructions, by which a policy is accomplished
A step-by-step approach to implementation
Four commonly used formats for procedures
Simple step, hierarchical, graphic, flowchart

Policy Hierarchy cont.

Plans and Programs
Provide strategic and tactical instructions on how to execute an initiative or respond to a situation
Plans and programs are used interchangeably
Plans are closely related to policies

Policy Format

The style and format of a policy will change based on the target audience of said policy
Identify and understand the audience
Identify the culture shared by the target audience
Plan the organization of the document before you start writing it. Will it be…
One document with multiple sections?
Consolidated policy section
Several individual documents?
Singular policy

Policy Components

Policy components
Policies include many different sections and components
Each component has a different purpose
Clearly identify the purpose of each element in the planning phase before the writing part starts

Version Control

Introduction

Provides context and meaning
Explains the significance of the policy
Explains the exemption process and the consequences of noncompliance
Reinforces the authority of the policy
A separate document for a singular policy
Follows the version control table and serves as a preface for consolidated policy

Policy Headings

Identifies the policy by name and provides an overview of the policy topic or category
The format and content depends on the policy format
Singular policy includes:
Name of the organization or the division
Category, section, and subsection
Name of the author and effective date of the policy
Version number and approval authority
Consolidated policy document
Heading serves as a section introduction and includes and overview

Policy Goals and Objectives

What is the goal of the policy?
Introduces the employee to the policy content and conveys the intent of the policy
One policy may have several objectives
Singular policy objectives are located in the policy heading or in the body of the document
Consolidated policy objectives are grouped after the policy heading

Policy Statement

Policy Statement

Hig- level directive or strategic roadmap
Focuses on the specifics of how the policy will be implemented
It’s a list of all the rules that need to be followed
Constitutes the bulk of the policy
Standards, procedures, and guidelines are not a part of the Policy Statement. They can, however, be referenced in that section

Policy Exceptions

Not all rules are applicable 100% of the time
Exceptions do not invalidate the rules, as much as they complement them by listing alternative situations
Language used in this section must be clear, accurate, and concise so as not to create loopholes
Keep the number of exceptions low

Policy Enforcement Clause

Rules and penalty for not following them should be listed in the same document
The level of the severity of the penalty should match the level of severity and nature of the infraction
Penalties should not be enforced against employees who were not trained on the policy rules they are expected to follow

Administrative Notations

Provides a reference to an internal resource or refers to additional information
Include regulatory cross-references, the name of corresponding document (standard, guideline, and so on), supporting documentation (annual reports, job descriptions), policy author name and contact information

Policy Definitions

The glossary of the policy document
Created and included to further enhance employee understanding of the policy and rules
Renders the policy a more efficient document
The target audience(s) should be defined prior to the creation of the glossary
Useful to show due diligence of the company in terms of explaining the rules to the employees during potential litigation

Writing Style and Technique

Summary

The structure of the policy documents ease the maintenance and creation of the overall document.
A successful policy sets forth requirements (standards), ways for employees to act according to the policy (guidelines) and actual procedures.
A policy is a complex set of individual documents that build upon each other to convey the message to all employees of the organization in an efficient fashion.