Policy samples can be used to assist an organisation's own policy development efforts. Writing an information security policy is a very difficult and arduous task. If you are unaccustomed to it you may find it frustrating and confusing. Many organisations have a standard set of organisational policies that govern the way the business is performed. These policies are implemented to support business objectives and the mission of the enterprise. Security Bastion has a large range of policies standards and procedures which can help you develop your own information security management framework quickly and effectively. Here Is a brief description of the different types of security policy samples you can expect to find at Security Bastion:
Levels of information security management documentation
In information security it is best practices to organise your information security management framework into segregated levels. The first level sometimes called an organisational policy level is where information security policy documents should reside. These top level policies are implemented to manage risks across the entire business holistically. On the second level we have more topic specific governance documents called information security standards which address issues like authentication and authorisation, communications and operations management etc. Finally on the third level we have low-level procedure documents which address requirements that support necessary steps for implementing standards and policies.
There are a number of good reasons to segregate these various types of documents:
• Each one of these security documentation types serves a different purpose and may communicate to a different audience. For example the domain of the reader may be different such as investors’ regulators and contractors would have different access and granularity of information than internal employees.
• More detailed levels of documentation will need to be updated and maintained more regularly as technology changes in the environment and across the organisation. Segregating documentation makes changes to standards, procedures and processes easier to update and maintain. While an update to the policy would take a lot longer due to its ratification process with senior executives.
Below are a number of descriptions of the various types of documents that should help the reader distinguish between each of them and provide a little guidance in segregating these documents from a single document that may contain them all and therefore be difficult to manage. Security Bastion’s policy samples are divided into each of the following:
Information security policy definition:
The information security policy is at the highest level that defines the organisation's commitment to information security and its importance to the organisations objectives and business. The information security policy captures an organisational commitment to securing information assets and the incorporation of security into the corporate strategy in an effort to manage operational risk. Additionally the information security policy authorises certain activities and assigns corporate responsibility and accountability for meeting the policies intent. This high-level document provides guidance for the development of all low-level documents that defines both requirements and measurements for the organisation and how the organisation should meet each requirement. By its nature an information security policy is senior management's instructions on how the organisation should be run from a security perspective. It is an overall statement of high-level objectives, ethics, goals and roles and responsibilities. Everyone corporate wide must comply and require executive approval when an individual or corporation desires to take an opposing course of action. An information security policy changes little overtime.
Information security standards definition
Information security standards dictate the use of Pacific technologies in a holistic way to meet individual statements set out by the information security policy. Like policies standards are compulsory and must be implemented across an organisation in a uniform way. Standards are generally changed and updated as technology and their requirements are updated and changed over time. The information security policy statements that standards are used to enforce need to be reviewed on a periodic basis, and if they are altered in any way then the standards should be adjusted to, comply. Standards are a set of rules for implementing policy. Standards direct the reader towards specific technologies, methodologies, and implementation procedures. Compliance with standards is compulsory, and exceptions must be managed via a risk management process without exception. Generally a simple single policy statement can generate many standards.
Information security Procedures definition
Information security procedures are the lowest level that a company will generally specify and document. Procedures can be described as various steps that are performed to accomplish a specific security related task. These detailed steps should be implemented by employees to meet security requirement or to implement other elements such as standard policy statements. Procedures will change over time more often than policies and more frequently than standards since they are driven by the business needs, structure and individual skill of the personnel that perform them. Information security standards have the most direct impact on the scale and development of procedures. Procedures generally include references to these other elements of the documented information security policy chain. Additionally information security procedures should include training and logging as necessary for employees performing their execution. Information security procedures contain specific operational steps employees must take to achieve goals which are often stated in policies and standards.
Security bastions policy samples
All of the above may sound very overwhelming to some but by using security bastions policy framework these individual documents can be produced in a matter of hours quickly and easily enforcing inducing best practices.