Skip to content

Page037

Components of Program Policy

All policy should contain these basic components:

  • Purpose
  • Scope
  • Responsibilities
  • Compliance

Purpose describes the need for the policy, typically to protect the confidentiality, integrity, and availability of protected data.

Scope describes what systems, people, facilities, and organizations are covered by the policy. Any related entities that are not in scope should be documented, to avoid confusion.

Responsibilities include responsibilities of information security staff, policy and management teams, as well as responsibilities of all members of the organization.

Compliance describes two related issues: how to judge the effectiveness of the policies (how well they are working) and what happens when policy is violated (the sanction). All policy must have “teeth”: a policy that forbids accessing explicit content via the Internet is not useful if there are no consequences for doing so.

Policy Types

NIST Special Publication 800-12 (see https://csrc.nist.gov/publications/detail/sp/800-12/archive/1995-10-02) discusses three specific policy types: program policy, issue-specific policy, and system-specific policy.

Program policy establishes an organization’s information security program. Examples of issue-specific policies listed in NIST SP 800-12 include email policy and email privacy policy. Examples of system-specific policies include a file server policy, or a Web server policy.

Procedures

A procedure is a step-by-step guide for accomplishing a task. They are low level and specific. Like policies, procedures are mandatory.

Here is a simple example procedure for creating a new user:

  1. Receive a new-user request form and verify its completeness.
  2. Verify that the user’s manager has signed the form.
  3. Verify that the user has read and agreed to the user account security policy.
  4. Classify the user’s role by following role-assignment procedure NX-103.
  5. Verify that the user has selected a “secret word,” such as their mother’s maiden name, and enter it into the help desk account profile.
  6. Create the account and assign the proper role.
  7. Assign the secret word as the initial password, and set “Force user to change password on next login” to ‘True.’
  8. Email the New Account document to the user and their manager.

The steps of this procedure are mandatory. Security administrators do not have the option of skipping step 1, for example, and creating an account without a form.

Other safeguards depend on this fact: when a user calls the help desk as a result of a forgotten password, the help desk will follow their “forgotten password” procedure, which includes asking for the user’s secret word. They could not do that unless step 5 were completed: without that word, the help desk cannot securely reset the password. This mitigates social engineering attacks, where an imposter tries to trick the help desk to reset a password for an account they are not authorized to access.