Policy Design
Policies address the requirement to protect information from disclosure, unauthorized access, loss, corruption and interference and are relevant to information in both electronic and physical formats. IT Security Policies play a critical and strategic role in ensuring corporate information is kept safe. Defining and implementing IT security policies helps an organization to identify and manage business risks. Documented Policies and procedures take the guess work out of information security and enable an organization to manage business risk through defined controls that provide a benchmark for audit and corrective action. Without documented policies and procedures each and every employee and contractor will act in accordance with their own perception of acceptable use and system management will be ad-hoc and inconsistent. Staff will be unaware whether they are acting within the organization’s risk appetite or not.
Having well defined policies and procedures that are communicated to staff and reviewed and updated regularly to keep up with changes in the environment include:
Providing a security and acceptable use framework for the organization.
Helping to protect the information systems and information assets of the organization.
Providing a uniform level of control and guidelines for management.
Promulgating one information security message to all.
Communicating the IT security and acceptable use policies and guidelines to users.
Providing a benchmark for monitoring and measurement compliance.
Assisting with staff issues relating to the misuse of the technology or the information.
Meeting internal obligations of auditors and risk managers.
Policy Name | Summary | |
|---|---|---|
Defines high-level requirements and guidelines on user account management, access enforcement and monitoring, separation of duties, and remote access. | ||
Ensures that the organization can quickly recover from natural and man-made disasters while continuing to support customers and other stakeholders. | ||
Formal change management policy governs changes to the applications and supporting infrastructure and aid in minimizing the impact that changes have on organization processes and systems. | ||
Provides your staff details on how to define and address incidents that threaten the security or confidentiality of information assets are properly identified, contained, investigated, and remediated. | ||
Explains how you manage InfoSec policies, provide security awareness training, implement and document security controls, and track compliance with customers, third party vendors, independent auditors and regulatory agencies. | ||
Describes how your organization provides a protected, interconnected computing environment through the use of securely configured network devices to meet organizational missions, goals, and initiatives. | ||
Institutes regular risk assessments and uses industry best practices in remediation. | ||
Describes how your company manages, configures and protects organization servers and hosts based on industry best practices. | ||
Establishes a foundation for actively managing risks around 3rd party vendors and their access. | ||
Outlines how your company protects laptops and workstations and their contents using industry best practices. |
Thoughts
Who should be involved in the development of IT Policies?
The CIO, IT Manager, Network Administrators and System Administrators should all be involved in the development of the Policies and Procedures. Input from Human Resources and Information Managers is recommended. We also recommend input from Risk and Legal staff if these roles exist within the organization. Ultimately the Senior Management Team should sign off the policies.
How do organizations manage their policies typically today?
Managing policies can be as simple as keeping a folder with documents, but that's often ineffective. Policies are living documents that benefit from cross-references to procedures, resources, and context. BCSF recommends that organizations adopt a WIKI platform for storing operational documents. Our recommended solutions come in two options:
Atlasssian's Confluence software if you wish to maintain your documents entirely on your own.
BENTO:GUIDES's advanced subscriptions which offer a documentation platform that is wholly managed and integrated with additional implementation and attestation services.