Information Technology Reference
In-Depth Information
to narrow the SOX technical and operational scope, thus reducing the complexity
of compliance management.
8.6
policy Management
Policy management includes:
n
n
n
Establishing corporate policy
Communicating policy to employees
Implementing and enforcing policy
The purpose of policies is to state appropriate behavior or actions for the organi-
zation. Policies manage expectations of the organization for employee behavior, and
expectations on the part of the employee on how the organization will treat him;
this warrants a considerable effort for policy generation and policy content. The
goal of security policies is to convey appropriate actions with respect to addressing
business risk and maintaining mission integrity.
The scope of security policies addresses physical infrastructure, technical
infrastructure, intra- and intercompany relationships, and interactions that use or
support information and information technologies relevant to the organizational
mission. A bit of careful planning and writing produces policies that are extensible
to accommodate various compliance requirements (e.g., HIPAA, SOX). Writing a
complete set of separate policies for each individual compliance requirement cre-
ates redundant work and may result in inconsistency or, worse, conflicting poli-
cies. Rather than generate a set of HIPAA-specific policies or SOX-specific policies,
generate a set of security policies and add qualifications to accommodate the leg-
islation. Policies focused on IA rather than today's legislation will be extensible to
accommodate the legislation of tomorrow.
IA policies should address the full spectrum of organizational concerns: per-
sonnel, physical, cyber, technology, infrastructure, servers, applications, and more.
Each policy should be concise and follow a consistent format to promote ease of
generation, maintenance, and readability. Many online and print resources offer
suggestions for policy subjects and language.
8.6.1
Security Policies
Policies bound and qualify organizational behavior and are in essence corporate
law. Policies are a subset of the internal compliance requirements that also include
standards, procedures, mission statement, and SLAs. The act of creating policies is
a subset of compliance management.
Security policy categories include
administrative
,
personnel
,
physical
, and
cyber
;
specific security policy examples are password, encryption, access, firewall, intru-
