Tuesday, 31 July 2012

The Policy control framework

Policy is a control. It acts to set the rules and allows us to maintain standards. Without rules, there are few things we can really complain about.

To either assess or develop policy, they need to be set in a framework that allows for a structured approach to understanding and implementing issues individually. Start by developing a root policy (or top of the policy chain).This can be the mission statement, or can be based directly from a regulatory requirement or from legislation that the organization is required to adhere to. The framework can be different for different policies.

The framework derives from asking the question, "Is there higher level guidance outside of this organization that this organization should follow?" Next reflect on the overall security posture within the organization, the various levels of policies that already exist (if any), and the critical policies and procedures that both need to be in place and that have already been implemented.

Policy is the what. Procedure fills in the gaps allowing a how to exist.


A policy is typically a document that outlines specific requirements or rules that must be met. A policy is a intentional plan of action to guide decisions in order to achieve a desired rational outcome.

Policy is a formal, brief, and high-level statement or plan that embraces an organization’s general beliefs, goals, objectives, and acceptable procedures for a specified subject area. Policy attributes include the following:

  • Require compliance (they are mandatory)
  • Failure to comply results in disciplinary action
  • Focus on desired results, not on means of implementation
  • Further defined by standards and guidelines

Policy Levels

Policy should be a part of a framework. This starts with a high level policy that sets the overall requirements and should go into specific policy for individual issues that are faced by the organization.

High Level Policy

This is the document that guides the development of the policy framework. It should be authorized at board level (or as high as possible).

A critically task is the establishment of a security documentation baseline. The baseline is the foundation for evaluating the security policy for effectiveness and accuracy. Security documentation can be expected to vary across every organization(although several components will be similar).

High level documents such as a mission statement define what customers, suppliers, and employees should be able to anticipate from the organization

Issue specific and System Specific Policy

At the other end of the policy framework are those policies that are specific to a single system or issue.


A standard is a procedure or a set of specific requirements that must be met by everyone.

Information is one of if not the most valuable resource held by an organization. It needs to be protected. Standards need to be applied to all characteristics that are commonly associated with the handling of information and information systems. This needs to be done in a manner that is aligned to the Information Security Policy. A collection of minimum standards that must be applied when handing organization’s information assets should be developed in a manner that complements the security policy.

Standards can be depicted as a workable and generally specific statement of the expectations or controls that the organization has mandated. The objectives of an organization’s standards should be to define a set of requirements that are designed to end in the implementation of a minimum level of security for each information classification category. Standard should provide developers of systems with a minimum standard required to secure new and current applications.

The standards should be divided into the following areas of information systems:

  • General
  • Information Classification Categories


A guideline is a collection of system-specific or procedural-specific recommendations for best practice, e.g., Microsoft Security Templates

A guideline is typically a collection of system specific or procedural specific "suggestions" for best practice. They are not requirements to be met, but are strongly recommended. Effective security policies make frequent references to standards and guidelines that exist within an organization.


Figure 1 Taken from “A Short Primer for Developing Security Policies” (SANS Policy Project)

Process or Procedure

Procedures are a control that is designed to ensure that the policy is effected. For instance, a procedure could set the controls in place that are designed to ensure that only those authorized to access a systems can do so. Procedures are a means of supporting the objectives of the security policy and a method of implementing it within the organization. Some procedures commonly defined within an organization include:

  • Procedures for obtaining access to a system and being issued a USERID and password;
  • Logon Procedures;
  • Procedures for password controls;
  • Procedures to handle incidents such as a security breach; and
  • Procedures to deal with malware (such as a computer virus or worm)

No comments: