1 / 9

Policies

Policies. Policies and Decisions. In order to act effectively in the real world, we have to make decisions. Knowing which decision is the right decision depends upon having some sense of “right” and “wrong” or some metric we can use to judge “better” or “worse.”

ebony
Download Presentation

Policies

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Policies

  2. Policies and Decisions • In order to act effectively in the real world, we have to make decisions. Knowing which decision is the right decision depends upon having some sense of “right” and “wrong” or some metric we can use to judge “better” or “worse.” • Some decisions, of course, are neither -— it matters little whether we drive on the right side of the road or the left, so long as we all agree as to which side we will use. • The most broadly stated guidance that we use to make decisions is called “policy.”

  3. Policies • Policy (Greek – “to display, to make known”) defines organization, power and accountability. • Corporate policies are the business equivalent of public law. • Paul Strassmann, The Politics of Information Management, Informastion Economics Press, New Canaan, CT, 1995, p. 3 • Broad guidelines that provide employees with points of reference that they can follow without referring to higher levels of authority. Policies serve as an authoritative source of consistent answers to repetitive day-to-day questions and problems. • Stuart P. Bloom and Evan L. Dold, "A Guide to Developing a Policies and Procedures Manual", Management World, June 1981

  4. Information Security Policies • Information security policy provides the basic guidance we use to decide the value of our information assets, the impact of their exploitation, corruption or destruction, and the level of risk we are willing to accept in providing for their protection. • At the highest level, information security policy is a set of rules we can use when we have to decide where and how to spend scarce resources protecting valuable information. • Information security policy addresses the fundamental issues of what must be protected, how much protection is needed, and for how long? • Applied independently to confidentiality, integrity and availability

  5. Procedures, standards, etc. • Because policies are such broad principles for guiding decisions, they must be backed up by more detailed guidance for implementation and application in specific situations. • Procedures • Standards • Objectives • Goals • Directions • Implementers

  6. Policy Issues • Information security policy issues include: • Organization (responsibilities and authorities for security) • Risk management • Classification management, marking and labeling • Privileges and their assignment • Access control (discretionary or mandatory) • Import and export of data • Control and destruction of media • Accountability: Identification, authentication, audit • Training, awareness and professionalization

  7. Policy Essentials • Policies need to be in writing. • Unwritten policies may sometimes be found to exist by courts, and enforced, but to be sure your policies are clear and foster the behaviors you intend and limit those behaviors you deem undesirable, policies should always be in writing • Policies must be promulgated • A policy the employees don’t know about is ineffective • Best practice is to have a signed statement that the employee has read and understands the policy • There must be some process to determine if the policy is being followed. • If you have no way of knowing whether a policy is being followed, the policy may be (and usually is) ineffective • There have to be sanctions • A policy with no teeth is ineffective These issues should be dealt with explicitly in policies.

  8. Policy Outline • Policy outline • Purpose • Scope and context (reason for the policy, legal or administrative authority for issuing) • Definitions • Applicability (to whom the policy applies)* • Policy statement* • Related policies (links to other policies that apply to related issues) • Applicable standards and procedures (may be addressed in separate documents) • Rights and Responsibilities of those to whom the policy applies* • Do’s and don’t’s • May’s and shall/shall not’s • Exclusions • Process for informing those to whom the policy applies and provision for acknowledgement of being informed • Forms and instructions • Enforcement process(es)* • Including points of contact • Sanction(s)* • Effective date • History of the policy (audit trail of revisions for version control) *essential parts of every policy

  9. Writing Policies and Policy Manuals • The verbs most often used in stating policies are: to maintain, to continue, to follow, to adhere, to provide, to assist, to assure, to employ, to make, to produce, and to be. • Use plain English. Choose precise and unpretentious terms. • The more complex the subject matter, the greater the need for a simple direct writing style. • Use the present tense, not the future. • Avoid vague and ambiguous words such as establish, implement and administer. • Define key terms in a glossary. • Avoid jargon. • Use positive language. • Don’t use gender - use they, their, theirs. • Reproduce any forms referred to in a special forms section at the back of the manual. Susan L. Diamond, Preparing Administrative Manuals (New York: AMACOM, 1981

More Related