Policy, Standards and Procedures
Defining the outcome of your security program
Legal hates to define policy, consul usually wavers from not defining a policy to having a bare minimum set of policies, nothing worse than having a policy that you don't follow. To Secure Labs, policies are the laws that define what the enterprise can and cannot do, or will do. Policies define the highlevel management objectives that will layout the structure and framework for the Informtion Security program. The polices will define the standards that will be adhered to and the detailed procedures that will be followed in IT operations. Defined policies define the framework of an internal IT audit program from which the enterprise can measure its level of compliance with the management objectives that have been defined. In short, policies are the foundation of Information Security
Once legal gets around to finally approving policies, usually after the second round of golf and right after the fat lady sings the final verse, standards can be defined. Policy statements are high level statements that follow management direction, hopefully following the letter of the law, mandates and business objectives. These high level statements are refined, interpeted and documented into corporate standards. Standards are developed in conjunction with Information Security and the business units responsible for operating the system that the standards apply to. The business unit has to live and support the standard, remember security is a two way street. Once the standards are agreed upon and a baseline is developed procedures for maintaining and operating the system is developed, documented and followed. Did we mention all of these documents are subject to audit?
ProceduresOvercoming Management Objections
Secure Labs knows that governance and compliance is a necessary evil, if you don't believe us, read the daily paper. Data theft, computer breaches, misuse of private information, publication of classified information the, the list goes on and onExecutive management is fairly sensible when it comes to making a decision on properly presented compliance mandate implementations. There is a return on investment case for most mandates, the benefits may not be immediate or tangible but trust us, when you are breached and the time to impose fines and settlements comes along, having a darn good compliance effort documented and in place goes a long way.