Advisory A second type of policy is one which suggests (perhaps in very strong terms) an action to be taken or a method to be used to accomplish a given function. The objective of this type of policy is to give knowledgeable individuals an opportunity to identify easily and quickly a standard course of action, but still allow latitude for judgment and special circumstances that may apply. Although these policies are not rigorously enforced, the cost of not following this type of policy is usually stated in the policy. In most cases, this caveat is presented not as a warning, but in an attempt to allow the persons referencing this policy to reach an informed decision regarding their use of the policy as stated or if they would choose to use another method not specified in the policy itself. These risks or costs could include:
These risks could be of substantial consequence to the successful result of the work. The ultimate cost of not following the prescribed policy could be, at least, loss of productive time spent in explanation or defense of the procedure used. In extreme situations, the validity or accuracy of the process could be jeopardized or the successful completion of the process could be lost or delayed in the process. This type of policy has several opportunities for possible restrictions or exclusions. Its advisory nature may only apply to more experienced, professional users. For others, it may be a required policy. It may also only apply in certain types of procedures. For example, a policy may require two authorizing signatures to obtain a password for changing a production computer program. This policy may only be advisory under normal circumstances. Under special circumstances, such as during an off-shift error correction or due to vacation or absence of a key individual, it may be disregarded or replaced with an alternate policy. Where possible, exceptional situations should be described or identified in the policy itself. Informative The least directive form of policy statement is one that simply informs. No implied actions are expected and no penalty of risk is imposed for not following the policy. It is simply as the name states: for information. The audience for an informative-type policy can be literally anyone who has the opportunity to read it: individuals within the organization as well as those who have no opportunity to directly interact with the group. This type of policy, although it may seem less strict than the regulatory or advisory policies, can frequently carry strong messages and provide for severe consequences. For example, this informational policy can state that further use of this system or process is restricted to authorized individuals only and violators will be prosecuted. Clearly informational, clearly of no consequence to those who are authorized, but implying severe consequences for nonauthorized individuals who persist in violating the intent of this policy. Although intended to inform as many people as possible, this type of policy is not automatically directed to the general public. Possible restrictions or exclusions may exist that would limit this type of informative policy. It may contain information that is proprietary or sensitive. Consider this example: a policy states that users with a LAN ID must change their passwords every 60 days, however, those with mainframe access must change it every 30 days. Although it may seem innocent, several key bits of potentially confidential information are revealed: that this organization has both LANs and mainframe access; that the mainframe contains more sensitive data, and that most people will probably set their new password every month, resulting in an expected increase in the number of calls for password reset or inquiry transactions on the last day of a month with 31 days. The usual method for directing authorized individuals to more detailed information and further policies is to refer to alternate policies for more information. This allows for the informational policies to be widely distributed with little risk, while most information that may be sensitive is contained in a policy not widely distributed. In the example cited above, the informational policy could read: Passwords will be changed in accordance with department standards. See your Department Password Policy for further information. This would advise everyone of the existence of a policy, but only divulge the specific content of the policy to those with legitimate right of access. For well-developed policy statements, where alternate policies are referenced, care must be taken to assure all cited references and sources are kept synchronized. COMMON COMPONENTS OF ALL POLICIES Generally, all well-developed policies share the same common components. Some may be formatted so that the components are explicitly identified. In other cases, the components are more subtle, requiring a thorough reading to pick out each one. Irrespective of whether the policy is explicit or implicit in its component description, nearly all effective policies contain the ten items described as follows: Statement of Policy The statement of policy is the most important item in the document. As such, it should be brief, clearly worded, and state in action words what is expected. A Statement of Policy is best if it can, on its own, give the readers sufficient information to decide if they are bound to adhere to the provisions of the policy, or whether this particular policy does not apply. It should also be worded to imply whether it is a policy chiefly oriented toward people, procedures, equipment, money, or communication. Authorizing Executive/Officer The second most important item in the policy document is the name and especially the title of the individual authorizing the policy. Most often this is an officer or senior executive of the organization. The policy should be one of which the authorizing executive is aware. Consequently, it should not be an artificial highly positioned officer or it may be successfully challenged without a knowledgeable defender. The authorizing executive similarly should not be one that is too many levels down in the organization chart, or it may be frequently overruled or given exceptions by other higher-ranking officers.
|
We are proud to bring to all of our members a legal copy of this outstanding book. Of course this version is getting a bit old and may not contain all of the info that the latest version are covering, however it is one of the best tool you have to review the basics of security. Investing in the latest version would help you out in your studies and also show your appreciation to Auerbach for letting me use their book on the site.