Handbook of Information Security Management:Policy, Standards, and Organization

Previous Table of Contents Next


Steady-State, Eternal Focus

Policies are best if written as though they have existed forever and will continue to exist long into the future. Therefore, unnecessary specific references to current computer architecture, software products, or technologies should not be included in a policy statement. Similarly, references to specific people by name, phone numbers, mail stations, floors, and other changeable information should have limited use in a policy statement. Wherever possible, refer to titles, names of job functions (which could be identified by person in an additional document), departments, or even departmental representatives whose job responsibilities are to direct questions to appropriate staff in the area.

In addition, the policy should be in a form that is understandable by people who may be outside the organization, such as auditors, regulators, customers, and even the public who may stumble across the policy statement.

Position Independent

Because anyone may be reading and attempting to follow the prescribed policy, it should be written without regard to the reader’s position in the organization. Avoid phrases such as “your manager,” “the Vice President...” or “your subordinates/co-workers.” The reader may be the President, who would not find it essential to check with his or her “manager,” or may be someone who works for a customer company. “Their supervisor” may have nothing to do with your organization’s policies.

Techniques and Methods

To be clear and informative for readers and also to provide your organization with a basic level of security, policies should avoid the use or description of particular techniques or methods that define unique ways of conducting business or interacting within your organization. These descriptive elements may appear in operation manuals or procedure manuals, but should be, at most, referred to in policy statements.

Contact Persons

All well-written policies can expect to have readers that may not completely understand the context of the policy, or may just want to discuss some aspect of the policy with its author or responsible party. Providing the name of a contact person is an essential link to the reader being able to express opinions, ask questions, or verify their understanding of what has been written. This is one of the few times when an actual person’s name is included in the policy document. Although the best resource for answering policy questions may be the author or authorizing executive, it is essential that the contact person have the time and job description necessary to provide adequate support. The degree to which the policy is given due respect is often related directly to how important it is for the organization to support and administer the policy. One way this priority is conveyed to the general policy audience is by making sure questions can be directed to an individual and that responses are timely, accurate, and supportive.

References to Other Organizational Entities

Often a policy statement will need to refer to other organizational entities: divisions, groups, departments, or other named functions. These references should be explicit and clear. They should also be kept as functional as possible. “The General Counsel” is preferable to “Jim Marshall, Corporate Attorney” when referring to the organization’s chief legal advisor. The reader should be left with no uncertainty with reference to other entities. This includes unclear department descriptions and also individuals who may not be in their current position indefinitely.

Responsibility for Adherence

The policy should state who is responsible for adhering to the provisions specified in the policy. The most frequent reason given for not adhering to stated policy is “I thought it didn’t apply to me.” The most effective way to remove this excuse is to state exactly who must conform to the instructions of the policy. If everyone is obligated to adhere to the policy, say so. If a group of people are excluded, the policy should be worded to include all those who are to conform. For example: “This policy applies to all employees except those with off-hours access” is better than simply stating “This policy does not apply to employees with off-hours access.”

Responsibility for Enforcement

Finally, well-written policies include an explicit identification of the individual or group of people with the responsibility for enforcing the policy. This can include those responsible for ongoing monitoring compliance, auditing adherence, and assuring uniform application of the policy across all areas of the organization. If more than one area has a special responsibility, each area’s responsibility should be described fully and concisely.

EXAMPLES OF ESTABLISHED POLICIES

Some policies have become models of how well-written policies can be developed. Many of these policies have been developed in the public domain, but their applicability is equally appropriate for private sector and international organizations as well. As a model, let us make an example of the sample Policy in Exhibit 1 regarding use of company E-mail. It contains the key elements of a policy that can be understood and achieves acceptable levels of compliance. The intended audience is clearly stated, the policy is free from jargon, it describes what is expected and identifies who to contact if there are any questions or issues that arise from publication of this policy. Missing from this text, but included in the publication where this and other policies are distributed, is the date when this policy would be up for review and possible reconsideration. A general rule of thumb is to review all policies every 5 years on a rotating schedule so 20% of them are subject for evaluation each year. More volatile policies may be reviewed more frequently and, of course, as issues arise policies may be redrafted and modified to suit changing requirements and technologies.


Previous Table of Contents Next



The CISSP Open Study Guide Web Site

We are proud to bring to all of our members a legal copy of this outstanding book. Of course this version is getting a bit old and may not contain all of the info that the latest version are covering, however it is one of the best tool you have to review the basics of security. Investing in the latest version would help you out in your studies and also show your appreciation to Auerbach for letting me use their book on the site.