In creating and maintaining documentation for applying proper security, management and practices within an organisation’s information technology environment it is important that there is a clear understanding of what the terms policy, procedure, standard etc mean. Let’s step through some of the key terms and their definition –
The Role of Policies and Procedures
The distinction between a policy and procedure is often misunderstood. Both play a key part in managing a business and there is an inter relationship between both types of material. IT Security Policies should be written to outline the objectives of your information security programme. A well written IT security policy should provide clear statements for managers and employees that give direction on what they must or must not do when interacting with systems and data. Policies should be formally reviewed, approved and supported by senior management before being released to the organisation and it’s people. IT Procedures are meant to document “how to” complete an IT task or process and in some cases will be quite detailed and lengthy. Procedures are invaluable to ensure all important tasks that are key to the functioning of a business are completed smoothly. They work well in situations where a task might be complicated, requires consistency, entails completing documentation or is perilous if completed incorrectly. Mixing policies with procedures makes things unclear to the reader and diminishes their effectiveness.
Getting the Structure Right
In building a house, if you get the foundations right the structure that sits atop is more likely to stay in place. Making the investment to get foundational IT Policies well written and easy to understand will set your information security programme and security culture on a solid footing. For those who can muster up the time and money to create a full set of information security programme documentation a comprehensive suite should comprise of the following sections –
Policy – statements of intent that guide and direct people on how they are expected to interact with organisational systems and data.
Control Objectives – the target or ideal status that needs to be achieved to ensure that policy intent is met.
Standards – established, finite and quantifiable requirements to be met regarding processes, actions, and configurations.
Procedures – detail the “how to” complete an IT task or process.
Guidelines – in place for users if/when specific standards do not apply.
Protocol Policy Systems assists organisations document and deliver the key elements of an information security programme.
Our Policy Management as a Service offering (SaaS) is subscription based and sees our experts help you deliver a comprehensive suite of policies customised to your business requirements.
The policies are set up for 3 user types – General, Manager and Technical User. Additional key system elements include Security Awareness videos, system navigation and content search functions, an Operations section for forms, guidelines, process and procedural content.
Each policy is written in plain English so that it is easy to understand and is supported by an additional “explanation” drop down box under each policy statement.
All policy content is mapped to your choice of international standards such as ISO and PCI plus regional requirements covering the PSN and Cyber Essentials.
Satisfying audit and compliance requirements is very straightforward.
Policy Management as a Service is delivered to customers at a fixed cost per annum providing up to date relevant policy content with supporting material. Knowing you have the foundations in place means your team can focus on other important or higher value security tasks.
To book an online demonstration contact Emma Tickner.