Security policies and procedures

Establishing, maintaining and following organizational policies is the bedrock of a good security program. They provide the written directions that everyone in the organization should follow. There are four general types of policy documents: policies, standards, guidelines and procedures. All should be tied to your organizational goals. Policies are formal statements or rules that specify correct or expected behavior. For example, an acceptable use policy explains the rules for using the companies information systems. You need to be able to consistently enforce policies and proof compliance to an auditor. Also, policies must be written and accessible by those who need to comply. A security policy should have specific sections, such as overview, purpose, which specifies why the policy is needed. Scope or audience, who and what the policy covers. Policy statements, this is the main section of the document and provides statements on each aspect of the policy. For example, an acceptable use policy might have an individual policy statement relating to internet use, email use, software installation, network access from home computer, etc. Implementation date, when the policy will be enforced. Compliance or exceptions, how the policy will be enforced and how do apply for an exception. Fortunately, you don't have to create these policies on your own. The SANS Institute is a cooperative research and education organization focused on training cyber security experts. SANS also develops, and makes available at no cost, research documents on information security topics. Check out their Information Security Policy Templates that cover general policies and security for networks, servers and applications. Standards are mandatory actions or rules that provides support or direction on how to comply with policies. For example, a consistent company email signature that has the same format for all employees. A standard may be technical or nature with specific configuration settings. Guidelines are recommendations on best practices, but are generally not enforced. For example, a guideline may be to recommend employees use a random password generator to create a strong password. Procedures are set of specific steps to be taken to achieve a desired result, that are often written to ensure that tasks are completed in the same way each time, preventing any unexpected problems. For example, the IT department may have a procedure for changing a workstation password. It includes specific step-by-step details, so that anyone in the IT could follow it and expect the password to be changed correctly. Your company may need to be compliant with outside security or privacy laws, regulations or standards, such has HIPAA, the payment card industry data security standard, or PCI DSS or NIST SP 800-53. Each provides specific and required security controls. These will often dictate the contents of your policies, standards and procedures. IT Governance is the overside of company information systems, operations and activities as set in your policies. It should include the creation, maintenance and enforcement of policy documents. As you can see, there is a difference between policies, procedures, standards and guidelines. Each has there place and fills a specific need. Now is a good time to review your company policies.