Information security policy is defined by NIST 800-12 Rev. 1 as “an aggregate of directives, regulations, rules, and practices that prescribes how an organization manages, protects, and distributes information.” In crafting and implementing security policies, managers face difficult choices regarding competing objectives, resource allocation, employee behavior, and organizational strategy.
Managerial decisions regarding information security issues vary greatly but result in three different types of policy:
- Program Policy,
- Issue-Specific Policy, and
- System-Specific Policy.
Program policy (issued by a senior manager or management team) is used to create an organization’s information security program. A Program Policy sets the strategic direction for security and assigns resources to implement security within the organization. This high-level policy defines the purpose of the Information Security program and its scope within the organization, addresses any compliance issues, and assigns responsibility for direct program implementation to the security organizations well as other related responsibilities.
Basic Elements of a Program Policy address a number of items including:
- General Compliance
- Specified Penalties and/or Disciplinary Actions
Issue-Specific policies provide specific guidance and instructions on the proper use of systems. Issue-specific policies address current technologies in use in the organization and expected employee behavior around those technologies. Because technologies change so frequently, issue-specific policies must be reviewed on a regular basis to ensure that they are current. New technologies and the discovery of new threats often require the creation of an issue-specific policy. Some examples of issue-specific policies include:
- Internet Access Policy
- Bring Your Own Device (BYOD) Policy
- Social Media Policy
- Unauthorized Software Policy
- Unauthorized Use of Equipment Policy
- Use of External Storage Policy
- Contingency Planning Policy
- Risk Management Policy
- Protection of Confidential/Proprietary Information Policy
- Physical Emergency Policy
Basic Elements of an Issue-Specific Policy address a number of items including:
- Issue Statement – Define the issue and specify the goal or justification for the policy.
- Statements of the Organization’s Position – Clearly sate the organization’s position on the issue. i.e., The use of unofficial software as defined is prohibited in all or some cases, whether there are further guidelines for approval and use, or whether case-by-case exceptions will be granted, by whom, and on what basis.
- Applicability – Clarify where, how, when, to whom, and to what a particular policy applies.
- Roles and Responsibilities – Who is responsible for implementing and monitoring the policy.
- Compliance – For some types of policies, describe unacceptable behaviors and the related consequences.
- Points of Contact and Supplementary Information – Who (or what position) to contact for further information, guidance, and compliance related to the policy.
While program and issue-specific policies are broad, high-level and written to cover the entire organization, system-specific policies relate to specific technologies and provide information and direction on specific actions that are permitted on a given system. System-specific policies dictate the appropriate security configurations to the people responsible for implementing the required security controls in order to meet the organization’s information security needs. After management determines the security objectives for a specific system, rules for managing and operating that system can be identified and documented. A decision must be made concerning the level of detail to include in the policy as well as the degree of formality in documenting the system-specific policy.
Technology (especially access controls) plays an important role in implementing and enforcing system-specific policies. Management controls also play an important role in policy enforcement. Additionally, the occasional need for deviations from a policy must be anticipated and prepared for.
System-specific policies must be reviewed frequently to ensure that they conform to the most current security procedures.
Information security policies are often extensions of organizational policies in other forms. For example, an organization’s email policy would likely support its broader policy on privacy as well as policies regarding the appropriate use of equipment and facilities.
The cost of securing information and systems is unavoidable. Costs are incurred through the policy development process. Administrative and management acivities are required for drafting, reviewing, coordinating, disseminating, and publicizing policies. In many organizations, successful policy implementation may require additional staff and training.
The objective is to ensure that the security protections implemented are commensurate with risk by striking a balance between the protections required to meet the security objectives of the organization and the cost of those protections.
Note: Policy controls are addressed by the -1 controls for every security control family found in NIST SP 800-52. The -1 controls establish policy and procedures for the implementation of individual security controls and control enhancement.