IT Strategic Policy
|Version: 1.00||Issue Date: 9/8/2014|
The purpose of information technology security policies is to inform organizational members about their duties in protecting the organization. The policies may apply to one or more groups of people but the policies should be written to inform specific groups about their roles and duties regarding each policy.
This policy is an overall framework for the formation of policies for the organization. It applies at the enterprise level covering the entire organization. The purpose of this policy is to establish the framework for developing organizational policies and ensuring the policies are well communicated, followed, and enforced.
This overall IT Security Policy is written to cover policy creation and policies for the entire organization. It applies to those who create policies for the organization and any personel who authorize and have the authority to create policy. This policy is effective as of the issue date and does not expire unless superceded by another policy.
Policies shall be written so they apply to permanent, temporary, and part time staff members along with consultants, contractors, vendors, any volunteers, or anyone who uses the resources of the organization.
This policy and all organizational policies are for internal use only and are not to be conveyed to those outside the organization who have no need for them. Staff members including employees, contractors, and some vendors must have access to these policies but must have signed non-disclosure agreements on file.
4.0 Support and Creation
Policies can only be effective if they have the support of members of the organization, especially the management. All relevant parties must have input and be involved in the creation, modification, or removal of new policies especially when the policy affects them. The reasons for the policies must be made clear to members of the organization to help win their support. Management must be sure that policies are communicated effectively and provide mechanisms to be sure they are being followed. Management must also provide for enforcement of the policies. Senior management must encourage staff members to follow and communicate the policies.
Various members of the organization should be involved in the creation, adoption, and approval of policies which apply to the organization or parts of it.
The head of the organization or Chief Executive Officer (CEO) should authorize and support the effort.
The Chief Information Security Officer (CISO) should support, authorize, review, and assist with the effort.
Management affected by the policies.
Information Security Committee
Information Technology staff
Human resources staff and management.
Auditing staff and management.
Legal Counsel and staff.
Unions where applicable
During the creation of policies, accepted practices in applicable areas will be researched.
Those who oversee and/or approve policy and its creation should include some who support quality in the organization into the effort to create and modify policy. Some individuals on the Information Security Committee should be supporters of high organizational quality. A quality committee should be created and empowered by upper management to measure and promote organizational quality.
Members of management in various functional areas including information technology (IT) will bring policy issues to the attention of the Information Security Committee and work with the comittee to get the appropriate policies created and implemented. Any areas not covered or requiring additional policies should be brought to the Information Security Committee.
5.0 Policy Contents
Policies must provide the following information:
Purpose - The reason for the policy.
Scope - Define
Who the policy applies to. Include information about who performs actions, who checks to be sure policy is being followed, and who enforces policy. The roles and responsibilities of employees and management are defined in the policies whether the roles are security related or not.
When the policy applies and when actions required are to be performed.
What equipment the policy applies to.
The organizational level and departments the policy applies to.
Date - The date the policy was created.
Version - The version number of the policy.
Terms - Any terms related to the policy or associated procedures should be defined
When information or data is affected:
Who is authorized to decide who keeps, creates, modifies, deletes, or distributes the data.
Who owns the information.
Who keeps the information.
What actions users and administrators are expected to take to keep the data safe.
When the policy is first applied and when it expires.
Where a procedure will be required to make the policy useful or effective, the policy should reference the procedure or call for a procedure to be defined and specify who will define the procedure.
Refer to commonly accepted security policies or practices where appropriate.
Enforcement - Define the consequences of failure to follow policy such as loss of access or loss of employment.
Policy approval - Define who approves the policy and their authority.
Laws - Any laws which apply to any policy or procedure or laws that affect the policy or procedure must be identified in the policy or procedure.
A process shall be created and used during the development of policies to identify external requirements that should be included in the policy or the policy is affected by. External requirements may include laws, copyright protections, business partner requirements, licensing requirements, purchasing terms, and others.
The various ways information may be communicated such as computer networks, FAX, telephone, television, radio, paper, and other media including carrying disks by foot must be addressed where applicable.
Skills and resources required to follow the policies must be clearly defined and budgeted by management.
A policy implementation and deployment plan shall provide milestones, goal indicators, success factors, and performance indicators to determine whether the policy is having its desired effect as it is deployed through the organization.
The quality objectives, controls the policy relates to or adds, and measures of the effectiveness of the controls and the policy are defined.
6.0 Policy Communication and Enforcement
When policies are established or modified they must be communicated to the people who they affect. It will be the job of the organizational communications officer to ensure that policies are communicated. The Human Resources Department will ensure that the communications officer has the skills to communicate the policies effectively. When applicable, all personnel should sign a statement that indicates that they have read, understand, and agree to abide by the policy. This should be enforced through the Human Resources department.
A process for communication of the security policies and procedures must be developed by the security officer and a process for enforcement through the Human Resources department must be developed by Human Resources combined with the Information Technology department. Policies supporting departments outside IT must have enforcement processes developed between the affected departments and the Human Resources department.
7.0 Policy Review
Policies should be reviewed regularly by the Information Security Committee and management or a management appointed team to be sure the policy is effective in providing for its intention and supporting the business needs and organizational infrastructure. Policies shall be reviewed after major changes that may affect their use such as a restructuring of the organization, mission change of the organization, or changes to laws or regulations. Policies should be modified, discontinued, or new policies created when appropriate. Technology development, changes in computer security attacks or mitigations, and changes in technology trends and methods should be monitored and policies should be updated as necessary due to changes.
Policies should be reviewed to determine their effectiveness. Security policy effectiveness may be measured using one or more of:
Quantity of security service calls.
Downtime related to security incidents.
Use of industry scores or rating of policy performance against your organization's past performance.
A policy creation and approval process shall be created by the Information Security Committee and approved by upper management. This process shall ensure that updated and required policies are issued in a timely manner and that enforcement mechanisms are in place.
The Information Security Committee shall create methods and processes that will be used to determine how well policies are understood and find areas where policies should be made clearer or where additional policies should be created. The Information Security Committee shall determine and implement methods to determine the cost effectiveness of specific policies.
8.0 Policy Organization
There are various ways to categorize organizational policies and the categorization method is a judgement call by the policy creators. In this document policies shall be organized and categorized according to specifical functional areas or groups of people that they may apply to. This organizational structure of the policy will help those who need to abide by the policy to understand which policies apply to them. For example, policies that apply to system administrators may not apply to all users of computers throughout the organization.
Access - Policies relating to what is required for access such as password policies and policies related to remote access.
Users - Policies that directly relate to users such as computer training, IT acceptable use, account management and others.
Network - Policies that relate to use of the network including applications that may be used, wireless, network documentation, and others. This section affects users and administrators in several areas.
Equipment Control - Policies about tracking equipment, using equipment, and disposing of equipment.
System Protection - Policies about how systems are protected and managed.
Data - Policies about how data is classified and protected.
General Security - Policies relating to general security such as intrusion detection, incident response, and disaster recovery.
Change Control - Policies about how changes to programs or projects will be made.
Auditing - Policies about how auditing is used to be sure security controls are in place and working.
Contracting - Policies about how contracts are handled including standards for work done.
Business Protection - Policies that protect the business such as the business continuity plan.
Management - Policy about how management issues are handled including projects and planning such as Development Life Cycle Policy, Technology Planning, Acquisition and Maintenance Policy, and more.
Operational - Policy about the orgainzations operations including the Customer support Policy, Service Level Policy, and others.
A project process and project approval process should be established, maintained, and enforced by upper management. Audits are to be used as a means to check enforcement and effectiveness of policies.
Responsibilities of owners of systems and data are to be included in policy.
Approved by:__________________________ Signature:_____________________ Date:_______________