Mock Security Polocy
Computers and Technology
Submitted By bp7667
Policy = Directive that publicly commits an entity to a decision to achieve a defined objective.
Who makes the decision and how? Governance: body with responsibility and authority for guiding the organization in this area.
Why would you want a policy?
• Regulatory compliance
• Due care; due diligence
• Assign responsibility
• Assign authority, e.g., incident response
• Publicize to members of organization
• Create framework for development of standards, procedures, baselines, and guidelines.
• Proclaim priorities; values
• Specific issues need to be addressed formally by organization as a whole
Mission Statements: per Paul Drucker, a MS has to be operational, otherwise, it's just good intentions.
A policy statement is a way of operationalizing your entity's mission statement.
Measure of policy: SMART
Policy: what and why-objective
Standards: measures of compliance. DOD, FIPS. E.g., level of software or hardware.
Baselines: minimum standards
Guidelines: not mandatory, not compulsory, several solutions may be satisfactory.
Procedures: explicit actions, sometimes in explicit order at a specific time (e.g., prior to production/operation). Mandatory. Procedures employ standards.
Different types of policies: issue vs. system policies
• Purpose: the why; problem is defined, objectives, reason for policy
• Background: historical or current rationale
• Cancellation/expiration: supercedes existing policy
• Scope: who does it apply to
• Policy Statement: guiding principle; what's to be done
• Roles and Responsibilities: who is responsible for what
• Compliance/Enforcement: how will it be enforced, and what are consequences for failure to adhere to it.
Don't want to get into technical details at the policy level. Procedures, standards, etc. address that.
Can specific procedures, guidelines, standards be derived?
Consistent with existing laws/regulations
Consistent with other organization policies
Uniformly enforced? If not; why?
Policy Creation, Approval, and Adoption
• Analogous to legislative process
• What is the issue? Why do we need a policy?
• Can we achieve our goal via standards revision?
• Who are stakeholders?
• What is existing documentation on the issue?
• What is the policy approval process? Who has final say?
• How are you going to disseminate/publish?
• How are you going to enforce?
• Leverage existing disciplinary processes?
• Collective bargaining already cover?
• Legally consistent?