Policy Basics

Video Activity

In this lesson, instructor Kelly Handerhan covers the basics of policy. We've looked at risk, we moved on to strategy, now it's time to write our policies. When we talk about policies, we're talking about high-level statements from senior management. For example; a security policy is likely to be very broad in nature. After corporate strategy is de...

Join over 3 million cybersecurity professionals advancing their career
Sign up with

Already have an account? Sign In »

3 hours 54 minutes
Video Description

In this lesson, instructor Kelly Handerhan covers the basics of policy. We've looked at risk, we moved on to strategy, now it's time to write our policies. When we talk about policies, we're talking about high-level statements from senior management. For example; a security policy is likely to be very broad in nature. After corporate strategy is developed, next comes; - Policies: broad, high-level statements addressing topics such as; what is the organization's desired security posture? What does the organization need to do to maintain its security posture? - Standards: standards will supply specifics to policy, such as; how will users protect their workstations? How will servers be hardened? - Procedures: a detailed "how to" detailing step by step instructions - Guidelines: helpful suggestions for best practices What should policy include? - Scope: it should address all information, systems, facilities, programs, data, networks and all users of technology in the organization, without exception - Information classification: should provide content-specific definitions - Management goals for secure handling of information in each classification category - Placement of the policy in the context of other management directives and supplementary documents - References to supporting documents - Specific instruction on well-established organization-wide security mandates - Specific designation of well-established responsibilities Consequences for non-compliance

Video Transcription
Okay, so let's talk about the basics of policy. So we look at risk, then we move on to strategy. Now it's time to write our policies and we talk about policies were talking about high level statements from senior management, that sort of issue directives for the organization.
So, for instance, and security policy
eyes likely going to be very broad in nature is gonna be not gonna be real detail, not name individuals not gonna give any new technologies,
procedures or any of that. It's ultimately gonna be broad, high level statements from senior management. We tend to keep our policy short and sweet.
We don't have a ton of policies or policies or broader, and then we let standards fill in the basics of anything that policy didn't address. So where is we're gonna have limited policies? We're gonna have a lot of standards, and those standards will actually give definition to the policy.
So whereas we might, in our policy talk about being committed
to protecting patient information as a health care provider, well, then our standards are gonna dictate how we're going to do that, you know, with access control or however
now we'll also have procedures in place and procedures or the step by step instructions on how to accomplish some sort of activity or tasks. So those were the details that gets into the technology. And here's how we're gonna accomplish this.
And then last but not least, we have guidelines. Now, the big thing about guidelines that are different from everything else is that guidelines are not mandatory. They are suggestions right there, kind of those should instead of shall.
So things like, um, in order to enhance security awareness within the organization, we recommend that our staff attend training whenever possible.
Right, that we should we recommend those ideas are very much
dear towards being none inventory.
All right, so what should policy include now? Like we said, this is broad high level from senior management. What do we want to look at? Well, first thing that we want to talk about is we want to figure out the scope of this policy so within the scope, you know, if we're looking organizational policy,
we're gonna talk about the information.
The facility are systems, data networks. Everything's is very, very broad in, and very, very inclusive in nature, right where, including our systems or information or facilities. And ultimately,
everything that falls under the scope of this policy needs to be documented. Now, this says, without exception, we will talk about instances where there are exceptions. But right now, we're gonna work an environment where there are no exceptions. Um, with policy, are we dealing with classified information
and what is our policy? How does that get classified?
Um, order the requirements for classifications. What criteria must atter me? What is the baseline security control for certain classifications of data? We need policy to address that,
Um, what are management? Those What are we, open toe accomplished and again policies this commitment from management than that talks about, You know, we want to inspire confidence in our customers and guarantee them that we protect their information.
So these broad statements, ultimately, we're gonna address what we hope to do.
What we're looking to provide how this policy fits into other management directives, like I said, is our organization we may be bad, certain legislative drivers, those air very appropriate to mention in our policy, you know, in order to satisfy the requirements of Sarbanes Oxley,
this policy addresses corporate accountability.
You know something like that, any other supporting documents. So if we have a roles and responsibilities, if we have standard operating procedures, those concert nly be referenced in policies as well as any standards that are going to provide more details on the policy.
Ah, specific instructions on well established organization wide security mandates again, just any sort of other documentation. If there are laws, drivers mandates that had previously been released
weaken reference those in policies
as well. Um, and then also the final point year consequences from non compliance what his compliance look like, what his compliance not look like. And if we're in an area of non compliance, what happens? You know what are the penalties?
Whether it's for a department or an individual,
what does noncompliance look like? And what are the results of non compliance? All of that information should be included in your policies
Up Next
Chief Information Security Officer (CISO)

In this CISO certification training, you will learn what other CISO's are focusing their time and attention on. Among the key topics, you will learn how to implement the proven best practices that make for successful cyber security leadership.

Instructed By