Policy = Directive that publicly commits an entity to a decision to achieve a defined objective.
Who makes the decision and how? Governance: body with responsibility and authority for guiding the organization in this area.
Why would you want a policy?
• Regulatory compliance
• Due care; due diligence
• Assign responsibility
• Assign authority, e.g., incident response
• Publicize to members of organization
• Create framework for development of standards, procedures, baselines, and guidelines.
• Proclaim priorities; values
• Specific issues need to be addressed formally by organization as a whole
Mission Statements: per Paul Drucker, a MS has to be operational, otherwise, it's just good intentions.
A policy statement is a way of operationalizing your entity's mission statement.
Measure of policy: SMART
• Specific
• Measurable
• Achievable
• Realistic
• Time-based
Policy Taxonomy
•
•
•
•
Policy: what and why-objective
Standards: measures of compliance. DOD, FIPS. E.g., level of software or hardware.
Baselines: minimum standards
Guidelines: not mandatory, not compulsory, several solutions may be satisfactory.
Procedures: explicit actions, sometimes in explicit order at a specific time (e.g., prior to production/operation). Mandatory. Procedures employ standards.
Policies
Standards
Guidelines
Procedures
Different types of policies: issue vs. system policies
1
�•
•
•
•
Passwords
Acceptable use
Email
Copyright
Firewalls
Mobile Devices
Email servers
Copiers
Policy Structure
• Purpose: the why; problem is defined, objectives, reason for policy
• Background: historical or current rationale
• Cancellation/expiration: supercedes existing policy
• Scope: who does it apply to
• Policy Statement: guiding principle; what's to be done
• Roles and Responsibilities: who is responsible for what
• Compliance/Enforcement: how will it be enforced, and what are consequences for failure to adhere to it.
Don't want to get into technical details at the policy level. Procedures, standards, etc. address that.
Policy Tests
•
•
•
•
•
•
Can specific procedures, guidelines, standards be derived?
Consistent with existing laws/regulations
Consistent with other organization policies
Uniformly enforced? If not; why?
Current?
Readily available?
Policy Creation, Approval, and Adoption
• Analogous to legislative process
• What is the issue? Why do we need a policy?
• Can we achieve our goal via standards revision?
• Who are stakeholders?
• What is existing documentation on the issue?
• What is the policy approval process? Who has final say?
• How are you going to disseminate/publish?
• How are you going to enforce?
• Leverage existing disciplinary processes?
• Collective bargaining already cover?
• Legally consistent?
2 