Handbook of Information Security Management:Policy, Standards, and Organization

Previous Table of Contents Next

Section 4-4
Policy Development

Chapter 4-4-1
Policy Development

Michael J. Corby


Discussion of Corporate/Organizational Culture

The modern organization is not just a work place. It has developed into a complex relationship among people, equipment, and the methods and procedures used by both to create an effective and productive environment. Much of our daily procedure is not scripted, but comprises undefinable protocol, a dialogue interchange constructed “on the fly.” As a result, the task of defining and developing fixed policy can often seem like a fruitless exercise. Still, even in this dynamic, developing architecture, a defined, written policy is not just an academic endeavor but an essential element in good security operations. Several specific purposes exist for developing and using sound, written policies. Some of them are not optional, but are mandated by the industry or environment in which the organization operates. Others are purely voluntary, but can often make the difference between an effective organization and chaos. This section will address the development of a Security Policy, it’s rationale, and the benefits that can be derived from its productive usage.

Regulatory and Legal Requirements

The most obvious reason for developing formal policy is “because we have to.” Grant funding, handling of sensitive or hazardous materials, financial management, government or quasi-government organizations and medical, legal, and professional overseeing organizations are generally bound by common practices, many of which are reviewed and audited for compliance. Frequently, when public funds are being spent, personal information is being processed, or general health and safety issues are at stake, written policies and procedures are required. These methods help assure that safe and consistently correct procedures are being employed to conduct the work of the organization. Because the reviewers are few, and interested parties are many, these procedures allow focus to be tuned to the actual work result and not the method being used to produce it.

Baseline of Appropriate Professional and Personal Behavior

Another significant purpose for developing written policies and procedures is to help guide the practice and behavior of professionals who are often faced with a combination of rote tasks and judgment activities. In this category, accountants, lawyers, physicians, scientists, and other well-trained staff associates depend on such written methods to assure that their efforts have been directed along prescribed, accepted practices. By adhering to these policies and procedures, the actual person doing the work can be interchangeable, because the accepted way of completing the task is consistent from individual to individual.

Communication with Individuals at Other Times and in Other Places

In most organizations, staff members are encouraged (and expect), to be promoted through the ranks, leaving behind their old positions and functions and moving on to new tasks and new responsibilities. The general rule of promotability is often to demonstrate that the work being left behind can be adequately and properly performed by the person moving into the vacated position. Written procedures, often developed or refined by the incumbent, have assured that this transition can be accommodated effectively and efficiently. Such written policies can span the time between two people doing essentially the same job, and can also span the distance between people doing the same job in different offices, cities, or even countries. When followed, such procedures are invaluable to assuring the consistency and accuracy of the work that was done in earlier times, or is being done in locations that cannot be monitored constantly. Written policies and procedures in these instances are a method of maintaining constant communication with the knowledgeable person who developed or last enhanced the work plan, similar to the way an instructor or mentor might be onsite to help guide and advise the new position holder.

Vehicle for Collecting Comments and Observations

Nothing follows all specified rules and meets all expectations without exception forever. In this imperfect environment, organizations need a way to describe their expectations and to record any variances or special conditions that arise. Written standard policies and the special ways of handling unique situations can form a directory of operating procedures used in irregular or unique circumstances. These procedures can be used as a guide for helping others know the way rare conditions should be processed. They also can describe special situations observed or methods used, and can even describe the thought process and actual implementation plans that were devised when observations were made or the special needs arose. During review or as a learning tool, these comments and observations form a basis for describing new procedures or explaining the use of special conditions to other members of the organization or to process reviewers, auditors, or regulators, who were not present when the condition occurred.

Previous Table of Contents Next

The CISSP Open Study Guide Web Site

We are proud to bring to all of our members a legal copy of this outstanding book. Of course this version is getting a bit old and may not contain all of the info that the latest version are covering, however it is one of the best tool you have to review the basics of security. Investing in the latest version would help you out in your studies and also show your appreciation to Auerbach for letting me use their book on the site.