Chapter 2: Policy Elements and style
Download as PPTX, PDF0 likes2,444 views
This document discusses the elements and structure of effective security policies. It distinguishes between policies, standards, baselines, procedures, guidelines, and plans. These documents make up the policy hierarchy, with policies at the top setting principles and standards providing specific requirements to support policy implementation. The document outlines key components of policies like objectives, version control, introduction, headings, statements, exceptions, enforcement, and definitions. It emphasizes using a clear structure and plain language style to effectively communicate policies to employees.
Chapter 2: Policy Elements and style
- 1. Security Program and Policies Principles and Practices by Sari Stern Greene Chapter 2: Policy Elements and Style
- 2. Copyright 2014 Pearson Education, Inc.l 2 Objectives ❑ Distinguish between a policy, a standard, a baseline, a procedure, a guideline, and a plan ❑ Identify policy elements ❑ Include the proper information in each element of a policy ❑ Know how to use “plain language”
- 3. Policy Hierarchy ■ Policies reflect the guiding principles and organizational objectives ■ Policies need supporting documents for context and application ❑ Standards, baselines, guidelines, and procedures support policy implementation ■ The relationship between a policy and its supporting documents is known as the policy hierarchy Copyright 2014 Pearson Education, Inc.l 3
- 4. Copyright 2014 Pearson Education, Inc.l 4 Policy Hierarchy cont. ■ Standards ❑ Dictate specific minimum requirements in policies ❑ They are specific ❑ Determined by management and can be changed without the Board of Director authorization ■ Note that standards change more often than policies ■ Baselines ❑ An aggregate of implementation standards and security controls for a specific category or grouping (for example, Windows 7, smartphones, and so on)
- 5. Copyright 2014 Pearson Education, Inc.l 5 Policy Hierarchy cont. ■ Guidelines ❑ Suggestions for the best way to accomplish a given task ■ Guidelines are created primarily to assist users in their goal to implement the policy ■ They are not mandatory ■ Procedures ❑ Method, or set of instructions, by which a policy is accomplished ■ A step-by-step approach to implementation ❑ Four commonly used formats for procedures ■ Simple step, hierarchical, graphic, flowchart
- 6. Policy Hierarchy cont. ■ Plans and Programs ❑ Provide strategic and tactical instructions on how to execute an initiative or respond to a situation ❑ Plans and programs are used interchangeably ❑ Plans are closely related to policies Copyright 2014 Pearson Education, Inc.l 6
- 7. Copyright 2014 Pearson Education, Inc.l 7 Policy Format ■ The style and format of a policy will change based on the target audience of said policy ■ Identify and understand the audience ■ Identify the culture shared by the target audience ❑ Plan the organization of the document before you start writing it. Will it be… ■ One document with multiple sections? ❑ Consolidated policy section ■ Several individual documents? ❑ Singular policy
- 8. Copyright 2014 Pearson Education, Inc.l 8 Policy Components ■ Policy components ❑ Policies include many different sections and components ❑ Each component has a different purpose ❑ Clearly identify the purpose of each element in the planning phase before the writing part starts
- 9. Copyright 2014 Pearson Education, Inc.l 9 Version Control ■ Used to keep track of the changes to the policy ■ Usually identified by a number or letter code ■ Major revisions advance by a number or letter ❑ 1.0, 2.0, 3.0 ■ Minor revisions advance by a subsection ❑ 1.1, 1.2, 1.3 ■ Version control documentation includes: ❑ Change date ❑ Name of the person(s) making the change ❑ Brief synopsis of the change ❑ Who authorized the change ❑ The effective date of the change
- 10. Introduction ■ Provides context and meaning ■ Explains the significance of the policy ■ Explains the exemption process and the consequences of noncompliance ■ Reinforces the authority of the policy ■ A separate document for a singular policy ■ Follows the version control table and serves as a preface for consolidated policy Copyright 2014 Pearson Education, Inc.l 10
- 11. Copyright 2014 Pearson Education, Inc.l 11 Policy Headings ■ Identifies the policy by name and provides an overview of the policy topic or category ■ The format and content depends on the policy format ❑ Singular policy includes: ■ Name of the organization or the division ■ Category, section, and subsection ■ Name of the author and effective date of the policy ■ Version number and approval authority ❑ Consolidated policy document ■ Heading serves as a section introduction and includes and overview
- 12. Copyright 2014 Pearson Education, Inc.l 12 Policy Goals and Objectives ■ What is the goal of the policy? ■ Introduces the employee to the policy content and conveys the intent of the policy ■ One policy may have several objectives ■ Singular policy objectives are located in the policy heading or in the body of the document ■ Consolidated policy objectives are grouped after the policy heading
- 13. Copyright 2014 Pearson Education, Inc.l 13 Policy Statement ❑ Why does the policy exist? ❑ What rules need to be followed? ❑ How will the policy be implemented?
- 14. Copyright 2014 Pearson Education, Inc.l 14 Policy Statement ■ Hig- level directive or strategic roadmap ❑ Focuses on the specifics of how the policy will be implemented ❑ It’s a list of all the rules that need to be followed ❑ Constitutes the bulk of the policy ❑ Standards, procedures, and guidelines are not a part of the Policy Statement. They can, however, be referenced in that section
- 15. Copyright 2014 Pearson Education, Inc.l 15 Policy Exceptions ■ Not all rules are applicable 100% of the time ■ Exceptions do not invalidate the rules, as much as they complement them by listing alternative situations ■ Language used in this section must be clear, accurate, and concise so as not to create loopholes ■ Keep the number of exceptions low
- 16. Copyright 2014 Pearson Education, Inc.l 16 Policy Enforcement Clause ■ Rules and penalty for not following them should be listed in the same document ■ The level of the severity of the penalty should match the level of severity and nature of the infraction ■ Penalties should not be enforced against employees who were not trained on the policy rules they are expected to follow
- 17. Administrative Notations ■ Provides a reference to an internal resource or refers to additional information ■ Include regulatory cross-references, the name of corresponding document (standard, guideline, and so on), supporting documentation (annual reports, job descriptions), policy author name and contact information Copyright 2014 Pearson Education, Inc.l 17
- 18. Copyright 2014 Pearson Education, Inc.l 18 Policy Definitions ❑ The glossary of the policy document ❑ Created and included to further enhance employee understanding of the policy and rules ❑ Renders the policy a more efficient document ❑ The target audience(s) should be defined prior to the creation of the glossary ❑ Useful to show due diligence of the company in terms of explaining the rules to the employees during potential litigation
- 19. Writing Style and Technique ■ Sets the first impression ■ Policies should be written using plain language ❑ Simplest, most straightforward way to express an idea ❑ Follow The Plan Language Action and Information Network (PLAIN) guidelines Copyright 2014 Pearson Education, Inc.l 19
- 20. Copyright 2014 Pearson Education, Inc.l 20 Summary ❑ The structure of the policy documents ease the maintenance and creation of the overall document. ❑ A successful policy sets forth requirements (standards), ways for employees to act according to the policy (guidelines) and actual procedures. ❑ A policy is a complex set of individual documents that build upon each other to convey the message to all employees of the organization in an efficient fashion.