Did you know Cybrary's video training is FREE? Join more than 2,500,000 IT and cyber security professionals, students, career changers, and more, growing their careers on Cybrary.
In this lesson, instructor Kelly Handerhan covers the basics of policy. We've looked at risk, we moved on to strategy, now it's time to write our policies. When we talk about policies, we're talking about high-level statements from senior management. For example; a security policy is likely to be very broad in nature. After corporate strategy is developed, next comes; - Policies: broad, high-level statements addressing topics such as; what is the organization's desired security posture? What does the organization need to do to maintain its security posture? - Standards: standards will supply specifics to policy, such as; how will users protect their workstations? How will servers be hardened? - Procedures: a detailed "how to" detailing step by step instructions - Guidelines: helpful suggestions for best practices What should policy include? - Scope: it should address all information, systems, facilities, programs, data, networks and all users of technology in the organization, without exception - Information classification: should provide content-specific definitions - Management goals for secure handling of information in each classification category - Placement of the policy in the context of other management directives and supplementary documents - References to supporting documents - Specific instruction on well-established organization-wide security mandates - Specific designation of well-established responsibilities Consequences for non-compliance