1 / 17

Security Policies and Procedures: Principles and Practices

Security Policies and Procedures: Principles and Practices. Chapter 2: The Elements of a Policy. Objectives. Create a policy with the appropriate standards, guidelines and procedures Develop a policy with the appropriate elements Include the proper information in each element of a policy

becky
Download Presentation

Security Policies and Procedures: Principles and Practices

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security Policies and Procedures:Principles and Practices Chapter 2: The Elements of a Policy

  2. Objectives • Create a policy with the appropriate standards, guidelines and procedures • Develop a policy with the appropriate elements • Include the proper information in each element of a policy • Distinguish the difference between a policy objective and a policy purpose • Define a policy audience clearly

  3. Introduction • Policy Pitfalls • Difficult to implement: creating policies is only the first step. Policies must also be communicated and enforced • Version control: how to make sure that this large document remains updated, and that all employees have the current version, and not an obsolete one?

  4. Defining Policy Companions • Definitions • Standards: dictate specific minimum requirements in policies. • Note that standards change more often than policies • Guidelines: suggestions for the best way to accomplish a given task • Guidelines are created primarily to assist users in their goal to implement the policy

  5. Defining Policy Companions Cont. • Procedure: method, or set of instructions, by which a policy is accomplished • A step-by-step approach to implementation

  6. Developing a Policy Style and Format • Policy Style and Format • The style and format of a policy will change based on the target audience • Identify and understand the audience • Identify the culture shared by the target audience • Plan the organization of the document before you start writing it. Will it be… • One document with multiple sections? • Several individual documents?

  7. Defining Policy Elements • Policy elements • Policies include many different elements • Each element has a different purpose • Clearly identify the purpose of each element in the planning phase before the writing part starts

  8. Statement of Authority • Serves as a preface to a group of policies • Explains the motivation behind the creation of the policies • When applicable, it introduces the federal mandate that regulates the organization (HIPAA, GLBA, etc) • Defines the core values and culture of the organization

  9. Policy Headings • Contains all logistical information regarding a specific policy area, such as: • Security domain section, subsection, policy number • Name of the organization and of the document • Name of the author, and effective date of the policy • Revision number • Name of the authority under whom the policy is written

  10. Policy Objectives • What is the goal of the policy? • Introduces the employee to the policy content • One policy may have several objectives • Not an enumeration of all measures • Defines generic policy-related need(s) for the company

  11. Policy Statement of Purpose • Why does the policy exist? • How will the policy be implemented? • The “how” should not be overly detailed

  12. Policy Audience • Who is the policy intended for? • The “Who” is the policy audience • The document must be clear as to which group of employees is targeted, as not all policies apply to all employees. Some may even apply to non-employees, such as 3rd-party contractors • Audience for each document should be defined during the planning portion

  13. Policy Statement • Focuses on the specifics of how the policy will be implemented • It’s a list of all the rules that need to be followed • Constitutes the bulk of the policy • Standards, procedures and guidelines are not a part of the Policy Statement. They can however be referenced in that section

  14. Policy Exceptions • Not all rules are applicable 100% of the time • Exceptions do not invalidate the rules, as much as they complement them by listing alternate situations • Language used in this section must be clear, accurate and concise so as not to create loopholes • Keep the number of exceptions low

  15. Policy Enforcement Clause • Rules and penalty for not following them should be listed in the same document • The level of the severity of the penalty should match the level of severity and nature of the infraction • Penalties should not be enforced against employees who were not trained on the policy rules they are expected to follow

  16. Policy Definitions • The Glossary of the policy document • Created and included to further enhance employee understanding of the policy and rules • Renders the policy a more efficient document • The target audience(s) should be defined prior to the creation of the glossary • Useful to show due diligence of the company in terms of explaining the rules to the employees during potential litigation

  17. Summary • The structure of the policy documents ease the maintenance and creation of the overall document. • A successful policy sets forth requirements (standards), ways for employees to act according to the policy (guidelines) and actual procedures. • A policy is a complex set of individual documents that build upon each other to convey the message to all employees of the organization in an efficient fashion.

More Related