Policy Management & Compliance
The following defines the difference betwen Policies, Procedures, Guidelines, Standards, Principles, Best Practices and Frameworks.
- Senior managements directives to create an information resources security program, establish its goals, and assign responsibilities.
- Specific security rules for particular systems or specific managerial decisions, such as establishing an organizations electronic mail (e-mail) privacy policy or fax security policy
Policies contain the following information: Identify general areas of risk State generally how to address the risk. Provide a basis for verifying compliance through audits. Outline implementation and enforcement plans Balance protection with productivity. Policies are of three (3) types:
- Program policies address overall IT security goals and typically apply to all IT resources within an institution.
- System-specific address the IT security issues and goals of a particular system
- Issue-specific address particular IT security issues such as, Internet access, installation of unauthorized software or equipment, and sending/receiving e-mail attachments.
Provide a basis for verifying compliance through audits Outline implementation and enforcements plans Balance protection with productivity
