Information Technology Reference
In-Depth Information
Compliance
Requirements
Drive
Specifies organizational
behavior to comply
Policies
Drive
Specifies
what
to implement
and enforce policy
Standards
Provide input to
Specifies
how
to implement
and enforce policy
Procedures
Provide input to
Operations & user direction to
ensure appropriate application of
policies, standards, and procedures
Guidelines
Figure 8.3 policy, standard, and procedure relationships with compliance
requirements.
n
n
n
n
Developers—The researchers and writers
Submitters—The formal provider to reviewers; may be the same as initiator
Reviewers—Peer or management team to validate content
Approvers—Formal set of approvers; often take recommendation of
reviewers
Implementers—Apply policy to business operations, technical infrastructure,
and solutions
n
Policy sponsors are more often technology and security managers; less often,
executive sponsors dictate the need for policy (e.g., policy to guide organizational
behavior in support of Sarbanes-Oxley). Steps to policy design and implementa-
tion include:
n
Write policies in support of external compliance requirements, industry stan-
dards and best practices, and business drivers.
Peers and various line managers review and comment on policy from their
particular perspectives.
Place review emphasis on the practicality of policy and balancing operational
effectiveness with security.
Reviewers provide recommendations to approvers, who ultimately sign off on
the policy prior to its internal publication and dissemination.
n
n
n
