Time
3 hours 7 minutes
Difficulty
Beginner
CEU/CPE
4

Video Transcription

00:00
Welcome to the cyber ery demystifying PC idea says Compliance Course.
00:05
This module focuses on how to develop strategies to meet PC I compliance objectives.
00:12
This video focuses on how to write policies to satisfy auditors while also being effective for your organization.
00:20
The learning objective of this video is to provide you with the basic framework for developing policies for the 12 p. C. I. A. Requirement areas.
00:28
I'll also talk about how, when it comes, the policy innovation is overrated.
00:35
Throughout the PC idea says, you're instructed to provide a policy for each of the different requirement areas.
00:41
Policies address. What is the rule?
00:43
A good policy states the rule as defined by the highest authority within the organization.
00:49
What a policy does not do is to discuss how to implement the rule.
00:53
Policies are meant to be high level and address objectives. While procedures dictate the implementation of the rule.
01:00
Your policies need to be readily available to your employees because auditors will be asking the personnel if they know how to access the policies that should be governing their behavior.
01:11
Here's some tips to developing good policies that will passage scrutiny of a que essa
01:18
when writing your policy. It's important to use clear and specific language.
01:23
Effective written policies should incorporate clear and specific language that is not open to interpretation by individual employees.
01:30
Ah, policy that speaks in general terms like limit personal email to appropriate amount
01:36
leads an employee to try to figure out what an appropriate amount that's supposed to be.
01:41
Words like should in May should be avoided so that readers of the policy are not given choices on matters.
01:48
Use policy to spell out exactly what you mean in detail.
01:52
Air on the side of specificity to write effective policy.
01:57
Adhere to the A. B. C's of effective policy. Writing
02:00
A is for accuracy
02:02
as a policy writer, present accurate, reliable and trustworthy information and rules.
02:08
Accuracy also requires that you adhere to the rules of grammar, punctuation and style.
02:15
Compliance Management rides on information. You present unwritten policy,
02:20
so you have to be sure you always get everything right.
02:23
The auditor will be looking to confirm the things you have stated in your policy.
02:27
We do this by interviewing personnel and looking for artifacts,
02:30
so if your policy says you do something every year, we will be looking for evidence that you have done this thing annually.
02:38
B is for brevity.
02:39
Try not to include or try not to produce one massive policy document that covers too much information
02:46
in order to increase the odds of having employees read, remember and adhere to written policies,
02:52
you should write brief policy documents covering each individual business requirement.
02:58
Keep each policy short, simple and straight to the point.
03:01
C is for clarity.
03:04
Clarity is essential to communication and compliance. Success.
03:07
Make it easy for employees to read through a policy from beginning to end.
03:13
Focus on developing sentences that are logical and air free.
03:16
Employees should not have to try to decipher the intent of statements
03:23
You want to make the policy. It's easy to use and readable as possible.
03:27
So use white space or blank space to enhance policy. Readability and add visual impact.
03:32
Rely on boldface headlines and subheds to emphasize important points.
03:38
Communicate rules and other important policy information and small bite size chunks.
03:43
Use bulleted or numbered list to enhance readability.
03:46
Include a table of contents and lengthy policies to help employees locate information quickly when questions are concerned. Arise
03:54
Also include a glossary of terms to help eliminate confusion, enhance awareness and support compliance.
04:01
Include contact information for policy Team members toe let employees know who to be contacted when policy related questions arise.
04:12
Policies reflect the rules governing the implementation of the CD E processes.
04:16
Procedures, on the other hand, represented implementation of policy and should evolve over time as new tools emerge. New processes, air designed and risks associated with an areas change
04:29
rather than combined policies, procedures and guidelines. In a scene. A single document it is recommended. As a general rule. Policies and procedures appear separate documents.
04:41
Originality is overrated.
04:43
There are a ton of templates out there that you can use to help you build out your policy.
04:47
If you don't know where to begin, you can steal some of these templates as a framework to help you develop your policy.
04:53
Here's a link to some policy templates to help you build from.
05:00
Make sure it is clear who was responsible for a policy who authorized the policy and who was impacted by the policy.
05:06
Throughout. The PC idea says you were required to group your personnel into roles, and these roles have specific responsibilities.
05:15
You need to be clear what those are and who is affected
05:20
and summary. We've gone over some of the key components of effective policies.
05:25
How to get started on writing your policies
05:27
and the importance of defining the roles in your policies.
05:30
And now, for a quick quips
05:32
when developing an acceptable use policy, it's best to use vague language to cover for scenarios that aren't anticipated.
05:43
This is false.
05:45
You need to be as clear and specific. It's possible so that employees do not circumvent your policy.
05:49
You should review your policy regularly to make sure it's updated as your environment evolves
05:58
well compared to policies, procedures are
06:00
more detail in technical
06:02
arm or high level. Strategic documents
06:05
are not as important
06:06
or defines roles and responsibilities,
06:13
procedures or documents meant to show you how to execute your policy.
06:16
They define the technology used and provide the steps to take to execute a task
06:24
who should sign off on a policy document.
06:27
The author of the policy,
06:29
the department leader,
06:30
the CEO
06:31
are those executing policy tasks.
06:38
The highest person in the organization or someone delegated by the highest person in the organization should sign off on policy to make sure the policy has authority

Up Next

PCI DSS: Payment Card Industry Data Security Standard

This online course covers the basic aspects of the PCI Data Security Standard for handling credit card data. It’s designed for professionals working for companies that must comply with the PCI DSS and its impact on company operations.

Instructed By

Instructor Profile Image
Timothy McLaurin
Director of Information Security at Wildcard Corp
Instructor