Policies, Standards, Procedures, and Guidelines\" Please respond to the followin
ID: 641784 • Letter: P
Question
Policies, Standards, Procedures, and Guidelines" Please respond to the following:
1) To operate effectively, organizations must develop effective policies, standards, procedures, and guidelines. Describe the differences between policies, standards, procedures, and guidelines, and how they collectively govern and manage information security programs in organizations.
2) Assess how organizations incorporate external policies, standards, procedures, and guidelines into the development of their information security governance program in order to adhere to external requirements while meeting the unique demands of their organization.
Explanation / Answer
1)
The importance of policy is supported by a quick review of current regulatory issues facing companies. While regulations, whether governmental or industry driven, are typically on the "grey" side when prescribing control requirements, the need for defined policy within the organization is always included.
However, policy is not just a 'check the box' activity for regulatory compliance. Policy defines the organization's response and posture for handling specific business processes.
Policy must be sanctioned by executive management and reflect the organizational view on acceptable business practices.
This includes the management of risks and execution of business processes. Policy must clearly define the structure, approach and philosophy to address a specific business aspect. In Information Technology, policy must cover all aspects of the IT organization - from software acquisition and development to security to disaster recovery to operational management. Policy also must be consistently communicated to the enterprise and applied to business process and strategy. Policy definition is not a one-time activity but must be ingrained into the culture of the organization.
Designing Policy
Designing policy, procedures and standards is a process that many organizations have undertaken for many parts of the business. For Information Technology, the goal is to implement a policy infrastructure that allows IT to manage risk appropriately, yet meet business needs.
First, policy must define the why, what, who, where and how of the IT process.
Secondly, policy must be matured over a period of time with a clear strategic course. Policy can quickly become an administrative burden or an ignored dogma without a true sense of the strategic value of policy. Within IT, policy is absolutely critical in setting strategic objectives but even more important in building a culture focused on controlled, business oriented services. Disaster Recovery (DR) is a clear example of how a well built policy adds strategic value. For a comprehensive approach to DR, many facets of the business must be aligned and policy will form the backbone of that alignment. Along with many other facets of the business, DR requires:
Expand policy into a true knowledge base.
Obviously, high level policy with some supporting standards is not the long term objective. Additionally, maintaining manual compliance testing with hard copy or otherwise manual testing results is an arduous and ineffective method. Transforming policy into a "knowledge base" drives deeper into technical control documentation and standards and forms the basis for long term growth into automated compliance testing and reporting.
Implement broader awareness, training & testing.
Employees are the keys to an effective policy and compliance program and they must understand their role in the program. With the establishment of a broader, deeper policy foundation, expectations and requirements must be streamlined to 'cut to the chase' for certain types of employees. In other words, awareness must transition to true training, including testing of knowledge and possible employee certification.
Automate compliance testing & reporting.
Following along with the policy/compliance maturation process, the next enhancement of compliance management capabilities is to leverage compliance testing technologies to automate manual processes on each significant technology platform. This requires mapping the prescriptive requirements of the organization - identified earlier and articulated in the customized set of policies, standards and procedures - to technology that facilitates automated compliance data collection, and then deploying the solution across the enterprise.
The ultimate goal of setting policies is to influence behavior, set clear requirements and guide people through business decisions. A comprehensive Policy Management process is the process of setting the policy in motion within the organization ensuring both proper communication and compliance activities.
Align policy maturity and compliance activities.
There are two basic mantras for policy and compliance management - Policy and Compliance must progress proportionally together; Policy and Compliance must be holistic and include people, process and technology. These are important concepts to keep in mind during the development process. Compliance activities should be automated and/or facilitated as much as possible. Some controls can either be implemented or monitored in an automated fashion. These should be measured as efficiently as possible using appropriate tools. Other controls will be purely manual and will require other assessment, measurement or monitoring processes. Facilitating the measurement of these controls should also be automated as much as possible.
Conclusion
The myriad of compliance requirements every company faces is becoming more complicated. Additionally, business needs are driving towards increasingly complex technology environments and demanding a continued focus on distributed approaches to IT administration. IT Governance depends on a clear definition of policy for the enterprise. An IT policy and its supporting standards defines the controls and requirements necessary for proper security, management and practices within the organization's information technology environment.
2)
Policies, Standards, Guidelines, and Procedures
Know how to set policies and how to derive standards, guidelines, and implement procedures to meet policy goals.
Part of information security management is determining how security will be maintained in the organization. Management defines information security policies to describe how the organization wants to protect its information assets. After policies are outlined, standards are defined to set the mandatory rules that will be used to implement the policies. Some policies can have multiple guidelines, which are recommendations as to how the policies can be implemented. Finally, information security management, administrators, and engineers create procedures from the standards and guidelines that follow the policies. the relationships between these processes. The rest of this section discusses how to create these processes.
The relationships of the security processes.
Information Security Policies
Information security policies are high-level plans that describe the goals of the procedures. Policies are not guidelines or standards, nor are they procedures or controls. Policies describe security in general terms, not specifics. They provide the blueprints for an overall security program just as a specification defines your next product.
Questions always arise when people are told that procedures are not part of policies. Procedures are implementation details; a policy is a statement of the goals to be achieved by procedures. General terms are used to describe security policies so that the policy does not get in the way of the implementation. For example, if the policy specifies a single vendor's solution for a single sign-on, it will limit the company's ability to use an upgrade or a new product. Although your policy documents might require the documentation of your implementation, these implementation notes should not be part of your policy.
Specifications
Information security policies are the blueprints, or specifications, for a security program.
Although policies do not discuss how to implement information security, properly defining what is being protected ensures that proper control is implemented. Policies tell you what is being protected and what restrictions should be put on those controls. Although product selection and development cycles are not discussed, policies should help guide you in product selection and best practices during deployment. Implementing these guidelines should lead to a more secure environment.
How Policies Should Be Developed
Before policy documents can be written, the overall goal of the policies must be determined. Is the goal to protect the company and its interactions with its customers? Or will you protect the flow of data for the system? In any case, the first step is to determine what is being protected and why it is being protected.
Policies can be written to affect hardware, software, access, people, connections, networks, telecommunications, enforcement, and so on. Before you begin the writing process, determine which systems and processes are important to your company's mission. This will help you determine what and how many policies are necessary to complete your mission. After all, the goal here is to ensure that you consider all the possible areas in which a policy will be required.
Define What Policies Need to Be Written
Information security policies do not have to be a single document. To make it easier, policies can be made up of many documents