He defines the scope of security, what is expected from employees and the consequences of noncompliance will be.
A security program includes: Policies, Procedures, Standards, Baselines and Guidelines
The Policies are the strategy and procedures, standards, baselines and guidelines the tactics. Procedures are the lowest level in the policy chain
The policy provides the fundation, procedures, standards, baselines and guidelines are the security framework.
There are thre categories or types of policies:
Ensures that organization is following the standards by a specific industry or law.
Strongly suggest certain types of behaviors and activities.
Inform about some topics, is not enforceable policy but is to teach people.
The security policies are:
Organizational Security Policy
- How security progam will be set up.
- program's goals
- assigns responsibilities
- strategic and tactical value of security
- how enforcement should be carried.
Organizational security policy provides scope an direction for all future security activities within the organization and define the amount of risk the senior management is willing to accept.
This policies are more detailed, because policies provide direction and structure for the staff.
For example: email security policy
System policies includes: Computers, Networks, Application and Data.
- approved software list.
- how to configure firewalls.
- how databases have to be protected.
and o on.
More granularity is needed in this kind of policies.
Standards and baselines achieve consistency in security implementation.
Provide the minimum security level necessary throughout the organization,
for ex: At all workstations of the company, at least C2 level is required.
Recommended actions and operations to the staff and users when a specific standard doesn't apply.
Guidelines are flexible.
Tasks detailed step by step to achieve certain goal.
Procedures spell out how the policy, standards, and guidelines will actually be implemented.