Required Functions of Policies

Characteristics

  • Efficiency (Communication)
  • Security
  • Reliability
  • Legal
  • Quality

Functions

  • Labor (Users)
  • Data
  • Equipment (Server, Network)
  • Service

The below table shows the primary characteristic and functionality of the organization the policy addresses.

CharacteristicFunctionSpecificPolicy
EfficiencyLaborCommunication - Definition of requirements for policies such as what must be included in policies.High Level Policy Creation Policy
EfficiencyLaborCommunication - Creation and maintenance of organizational security planHigh level Information System Security Policy
SecurityLabor(Access)Prevent third parties from guessing passwords, provide accountabilityPassword Policy
SecurityLabor/Network/DataRemote Access Policy
Security
Efficiency
Users/Network/Data
Labor/Cost
Prevent incidents/improve staff performanceComputer Training Policy
Security
Legal
Users/Network/Data/Equipment
Labor (Staff)
Prevent security breaches due to users not violating policy and get malware. Use of organizational resources should be appropriate based on need.IT Acceptable Use
SecurityUsersPrevents too great of access. Limited access limits damage if a security breach occurs.User Privilege Policy
SecurityDataStaff must be expected to treat data in a confidential manner and protect it appropriate to the business needs.Privacy and Confidentiality Policy
SecurityLabor (Access)Prevents accounts from being used by employees that have left or others who may attempt to crack accounts.Account Management Policy
SecurityLabor (Access)Assures that account management processes are followed when employees leave or are transferred and reduce the chance of security incidents.Employee Termination Policy
SecurityLabor (Access)Reduces the chance that staff will get malware through their browsers.Browser Configuration Policy
SecurityLabor (Access)Reduces the chance that untrustable employees will be hired.Employee Background Screening Policy
Security
Legal
Labor (Access)
Labor (Users) - Prosecution
Informs users that use must be for official reasons. Provides for potential prosecution of unauthorized users since they are notified that use must be for authorized personnel and they are not just "welcome"Logon Banner Policy
Security
Legal
Data/Labor/Network
Labor
Organizational monitoring rights and responsibilities, information protection and useCode of Ethics Policy
SecurityNetworkSpecifies how users can connect to the internet and specifies filtering from harmful or inappropriate sites.Internet Connection Policy
SecurityLabor/Data/NetworkProhibits use of unapproved applications to stop malware from being run on the network.Approved Application Policy
SecurityNetwork/DataRequires wireless technologies to be approved and properly configured.Wireless Communication Policy
Security
Efficiency
Reliability
Network
Network/Labor
Network - Disaster Recovery
Network documentation provides efficiency, security, and ability to restore the network.Network Documentation Policy
Security, ReliabilityServerProvides for scanning of servers to discover vulnerabilities so they are remediated along with requirements of notification and communication.Network and Server Scanning Policy
SecurityNetwork/DataDefines requirements for the security perimeter.Perimeter Security Policy
SecurityNetwork/DataDefines requirements for DMZ equipmentInternet DMZ Equipment Policy
SecurityNetwork/DataDefines requirements for routersRouter Security Policy
Security, ReliabilityNetworkRequires proper installation and maintenance, physical security for network equipment, and criteria for leased capabilities.Telecommunications Communication Policy
SecurityLabor, User Control - Internet abuseSpecifies filtering options and appropriate sites.Surf Control Policy
Security
Efficiency
Equipment/Data
Labor
Requires assets to be tracked and kept current in a database.Asset Control Policy
SecurityDataRequires equipment to be properly disposed to prevent unauthorised loss of data.Equipment and Media Disposal Policy
SecurityNetwork/Data/EquipmentSpecifies mobile device responsibilities and protections.Mobile Computer Policy and Mobile Device Policy
ReliabilityEquipment/ServicesSpecifies requirements for equipment to provide reliability.IT Equipment Purchase and Failure Prevention Policy
Legal
Efficiency
Tools - Software availability
Labor - Software development
Requires purchased software and licensing to be tracked.Software Tracking Policy
LegalLicensingRequires software to be licensed.Software Licensing Policy
LegalProperty RightsPrevents violation of property rights and requires tracking of intellectual property.Intellectual Property Rights Policy
SecurityData/EquipmentRequires computer systems to operate virus protection software.Virus Protection Policy
SecurityData/EquipmentRequires systems to be regularly patched.Patch Management Policy
SecurityData/EquipmentRequires systems to be locked down so un-needed services are not running and access levels are set to the minimum requirementsSystem Lockdown Policy
Security
Reliability
Data/Equipment
Equipment
Requires servers to be monitored regularly for security incidents and system problems.Server Monitoring Policy
ReliabilityService/DataDefines when and how backups will be done.Backup and Recovery Policy
Security
Reliability
Efficiency
Equipment
Service - Disaster Recovery

Labor
Requires network and server documentation to be complete and current.Server Documentation Policy
EfficiencyCommunicationOutlines a system of naming that is useful for identifying equipment and makes it easier to get contact information.Computer and Printer Naming Policy
Security
Reliability
Network, NetworkIntended to prevent duplicate IP addresses and prevent unauthorized use of the network.IP Address Assignment Policy
SecurityNetwork/EquipmentDefines requirements for audit logs including storage and review.Audit Trail Policy
SecurityEquipmentRequires computing devices used for the organization or on the organizational network to implement proper authentication protection.Authentication Mechanism Policy
Reliability
Security
Services
Facilities (Physical)/Equipment
Requires hosting centers to meet minimum standards and physical security, environmental controls, and power backup options to be properly implemented to provide proper stability and security.Computer Center Operations Policy
SecurityData, LaborRequires a proper process to be followed for investigations and requires users be made aware of simple computer forensic issues.Computer Forensics Policy
SecurityEquipment/Network/DataReferences several policies and lists requirements for server security.Server Security Policy
SecurityData, Equipment,UsersProvides configuration requirements to help keep workstations secure.Workstation Configuration Policy
SecurityData, Equipment,UsersProvides minimum standards of configuration and control for E-mail.Email Policy
ReliabilityServicesEnsures that a proper hosting environment is used to support servers based on the business need.System Availability Policy
ReliabilityServicesHelps ensure that servers can handle the current and projected demands of users and the business function.Server Setup and Configuration Policy
Security
Reliability
Equipment/Data
Services
Helps ensure the proper and secure operation of servers and ensure the business need is being met.Certification and Accreditation Policy
SecurityDataDefines classification of data.Data Classification Policy
SecurityDataSpecifies how information/data is handled based on its sensitivity classification.Information Sensitivity Policy
SecurityData/Equipment/ServicesSpecifies how to identify risk in order to remediate it.Risk Assessment Policy
SecurityDataSpecifies access controls for databases.Database Passwords Policy
SecurityDataEnsures information or data is properly encrypted based on its sensitivity classificationEncryption Policy
Security
Quality
Data/Equipment/Services
Data/Equipment/Software/Services
To ensure all new projects are developed efficiently while providing desired functionality, security, and quality.Application Implementation Policy
SecurityData/Equipment/Services/Network/Server/Facilities/LaborHelp ensures that security incidents are handled in a timely manner.Incident Response Policy
SecurityData/Equipment/Services/Network/Server/Facilities/LaborSpecifies how intrusions are reported and dealt and where intrusion detection systems should be installed.Intrusion Detection Policy
ReliabilityData/Equipment/Services/Network/Business ProcessesProvides guidance and standards to be used in developing disaster recovery plans, business contingency plans, business continuity plans, and the process of recovering from a disaster.Disaster Recovery Policy
Security
Quality
Data/Equipment/Labor
Services
Ensures quality of services and project support to the organization by third parties. It also ensures that third parties are adequately identified when connecting electronically to the organization.Third Party Identity Policy
SecurityFacilities(Physical)Specifies responsibilities for physical security.Physical Security Policy
SecurityNetwork/Equipment/Data/Labor (Access)Describes how third party organizations may connect to the organizational network.Extranet Policy
Security
Efficiency
Reliability
Labor/Data/Equipment
Labor/Tools
Data/Equipment
Ensures new technologies are used to the best advantage for the organization. Defines tasks required for reviewing new technologies and new security threats.IT Steering Committee Policy
EfficiencyCost - Risk MitigationEnsure that adequate and appropriate insurance is purchased where the organization is not willing or unable to accept risk.Insurance Purchase Policy
SecurityLaborLimits single user privileges where a conflict of interest or profit opportunity may exist.Segregation of Duties Policy
Reliability
Efficiency
Quality
Services
Labor
Services
Ensure system and software changes are minimally disruptive to services and that changes are coordinated between applicable groups.Change Management Policy
???Not Done!!!Security Controls Review Policy
Security
Efficiency
Reliability
AllHelps ensure that policies and processes are followed and are effective.Auditing Policy
Security
Quality
Data/Equipment/Labor (Access)
Equipment/Software/Services/Software development
Helps ensure the quality of third party IT services by specifying management methods and requirementsThird party IT Service Policy
Security
Quality
Data/Services
Software Development
Helps ensure the quality of software generated by, generated for, and used by the organizationSoftware Standards Policy
ReliabilityData/Equipment/Services/Network/Business ProcessesEnsure that policies and processes are in place and followed so that business functions continue during times of disaster or equipment failure. Business Continuity Policy
Management
QualityEquipment/Services/Software/Software developmentEnsure that applications, systems, and services meet the business need by requiring formal development life cycle processes.Development Life Cycle Policy
Quality
Reliability
Equipment/ServicesEnsure quality of systems and software while keeping systems compatable and supportablity ensured.Technology and System Management Policy
ReliabilityEquipmentEnsures that equipment and systems are properly maintained through the organization.Preventative Maintenance Policy
Security
Reliability
Efficiency
Equipment/Services
Equipment/Services
Labor/Cost
Technology Planning Policy
Security
Reliability
Quality
Efficiency
Equipment/Services
Equipment/Services
Equipment/Services
Tools
Provides policy to keep acquisition and maintenance activities in line with planned technology infrastructure.Acquisition and Maintenance Policy
Security
Reliability
Efficiency
Services/Equipment
Services/Equipment
Labor
Ensure that system and software changes are minimally disruptive to services and that changes are coordinated between applicable groups so conflicts or duplication of effort does not occur.Configuration Management Policy
Security
Reliability
Quality
Efficiency
Equipment/Services
Equipment/Services
Equipment/Services
Tools/Costs
Ensures third party services meet quality requirements.Contracting Policy
Security
Reliability
Quality
Efficiency
Equipment/Services
Equipment/Services
Equipment/Services
Tools
Ensures third party goods meet quality requirements and deliveries are timely.Supplier Policy
EfficiencyCostsEnsures costs of information technology are controlled based upon the business requirement.Cost Management Policy
EfficiencyLaborRequires that all organizational policies be communicated in an effective manner.Communication Policy
EfficiencyLabor/CostEnsures structure and priorities are clear, and sufficient funding is available to meet required needs.IT Organizational Policy
EfficiencyCostsRequires roles and responsibilities are defined for budgeting, risks are identified, and the budget is monitored.IT Budget Policy
EfficiencyLabor coordination/Labor communication/Labor skillsEnsures IT critical functions are supported by competent personnel. It will help ensure that compensation meets appropriate levels of competence, skills, and performance. It will be sure that roles and task descriptions are formalized.IT Human Resource Policy
LegalLabor/Tools/Services/Property Rights/Data/Business ProcessesDefines how external requirements such as legal requirements will be managed.External Requirements Policy
QualityServicesHelp DeskCustomer Support Policy
Reliability
Security
Business Processes/Services
Services
Ensures security is kept in place during emergencies and that adequate preparation will help minimize the impact of emergencies.Emergency Access Policy
Quality
Reliability
ServicesEnsures service level agreements are adequate to protect the organization and require quality service that meets business requirements.Service Level Policy
Quality
Reliability
ServicesEnsures information technology services meet required standards to meet the business needs.Service Monitoring Policy
Reliability
Efficiency
Security
Business Processes/Services/Equipment
Labor
Services/Equipment
Ensure internal controls are effective, problems are quickly reported and addressed, and change control meets its purpose to assure changes are implemented without incident.Internal Controls Policy
Stability
Quality
Reliability
Equipment
Services
Business Processes
Ensures information technology continuity practices support the business processes to meet the business needs.Service Reliability and Continuity Policy
QualityServicesRequires a quality assurance plan to be developed and enforced along with quality standards for services.Service Quality Policy
QualityBusiness Processes, Services, EquipmentRequires a quality assurance plan to be developed and enforced along with quality standards.Quality Policy