Skip to main content

Governance Elements

Updated Jan 30, 2024 ·

Policies

Policies, influenced by laws and standards, provide strategic direction and priorities, guiding decision-making and compliance.

  • Top tier of security documentation
  • Strategic in nature, broad outlines of security goals and practices

Security Policy Categories

Security policies are categorized based on their purpose, scope, and the level of enforcement they require. These categories help in managing various aspects of security across an organization.

  • Regulatory Policies

    • External policies imposed by external government or regulatory bodies.
    • Mandatory compliance with specific legal requirements (e.g., GDPR, HIPAA).
    • Ensure protection of sensitive data and adherence to industry standards.
    • Legal requirements that an organization must follow to avoid penalties.

  • Governance Policies

    • Internal policies by an organization to guide its overall direction and operations
    • Ensures an organization runs effectively and in alignment with its strategic goals.
    • Internal management and accountability within the organization.

  • Compliance-driven Policies

    • Ensure both internal and external compliance obligations are met.
    • Imposed by laws, regulations, or contracts.
    • Documented and assessed for effective organizational use.
    • May include audits and assessments to verify adherence.

  • Advisory Policies

    • Provide guidance or recommendations on best practices.
    • Typically non-mandatory, but highly encouraged.
    • Help employees make informed decisions about security measures.
    • Example: Advising secure configurations or specific use cases for tools.

  • Informative Policies

    • Share general information about the organization’s security stance.
    • Typically non-enforceable, used for awareness purposes.
    • Explain the rationale behind security measures or updates.
    • Example: Informing staff about recent cybersecurity threats.

Security Policy Types

Security policies are also classified based on the focus and scope of their application within the organization.

  • Organizational Policies

    • Focus on organization-wide aspects.
    • Direct behavior and activities toward specific or general goals.
    • Cover areas like human resources, finance, accounting, security, etc.

  • Issue-specific Policies

    • Focus on specific aspects (e.g., department, service, etc.).
    • Includes data encryption, incident response, or acceptable use.
    • Ensure clarity and control over specific security issues.
    • Regularly updated to reflect changing security threats.

  • System-specific Policies

    • Focus on secure handling of specific systems or types of systems.
    • Establish guidelines for the configuration and management of IT systems.
    • Include system-specific access control, backup, and recovery protocols.

Implementation through Procedures

Security policies are implemented through detailed procedures that transform policy directives into actionable steps.

  • Policies expanded into step-by-step instructions for execution.
  • Implemented by individuals to achieve organizational goals.
  • Ensure consistency and adherence to security measures across operations.

Key IT Policies

Organizational security policies provide guidelines and rules to protect an organization’s assets, data, and systems. These policies ensure that employees, contractors, and other stakeholders follow best practices to minimize security risks. Below are some of the common policies:

  • Employee/Contractor Hiring Policy
  • Accounts/Credential Policy
  • Password Policy
  • Data Handling Policy
  • Bring Your Own Device
  • Privacy Policy
  • Acceptable Use Policy
  • Information Security Policy
  • Business Continuity Policy
  • Disaster Recovery Policy
  • Incident Response Policy
  • SDLC Policy
  • Change Management Policy

For more information, please see Common Security Policies.

Standards

Organizations use standards as compliance documents and guidelines, which defines the specific technical requirements for security controls, including incident response procedures.

Common Standards

These are widely recognized standards that provide guidelines and best practices for various industries, especially in information security and technology.

  • International Organization for Standardization (ISO)

    • Develops international standards on various technical subjects, including information systems and security.
    • Solicits input from global experts before publishing.

  • National Institute of Standards and Technology (NIST)

    • U.S. government agency publishing technical standards, especially for information technology and security.
    • Standards are requirements for U.S. government agencies and widely accepted globally.

  • Internet Engineering Task Force (IETF)

    • Establishes communication protocol standards for global computer connectivity.
    • Enables computers to communicate seamlessly across borders.

  • Institute of Electrical and Electronics Engineers (IEEE)

    • Sets standards for telecommunications, computer engineering, and related disciplines.

Baselines

These are rules that define a minimum level of security that is required throughout the organization. Baselines ensure consistency and compliance across different systems and platforms.

  • Platform-specific, based on industry or government standards.
  • Establish basic security settings and configurations.
  • Used to measure compliance and identify risks.
  • Updated regularly to address new threats.

For more information, please see Security Baselines.

Guidelines

Guidelines are general statements used to recommend an approach in implementing policy and standard objectives.

  • Offer advice on best practices and preferred methods for implementing security controls.
  • Allow for discretion and adaptability based on specific circumstances and needs.
  • Flexible, does not specify controls or configuration settings, customizable.
  • Not mandatory, they are only recommendations to be considered.

Procedures

Procedures define specifically how policies, standards, and guidelines will be implemented in a given situation. They typically contain the detailed steps to complete tasks supporting departmental or organizational policies.

  • Provide supporting data and decision criteria.
  • Address both one-time and regular occurrences.
  • May focus on a single component or an entire system.
  • Mandatory, establish measurement criteria for task completion.

Examples:

  • Emergency Evacuation Procedure

    • Outlines steps to take in case of emergency, such as fire.
    • Evacuation routes, assembly points, and roles and responsibilities.

  • Data Backup Procedure

    • Details how and when data should be backed up to prevent data loss.
    • Steps for daily or incremental backups, or weekly full backups.~

Regulations and Laws

Regulations and associated fines and penalties can be imposed by governments at the national, regional, or local level. Note that regulations and laws can be imposed and enforced differently in different parts of the world:

  • HIPAA (United States)

    • Governs the use of Protected Health Information (PHI).
    • Violation entails fines and/or imprisonment for individuals and companies.

  • GDPR (European Union)

    • Controls the use of Personally Identifiable Information (PII).
    • Imposes financial penalties on companies handling EU citizens' data, regardless of physical presence.

  • Multinational Considerations

    • Multinational organizations navigate regulations at various levels.
    • Must comply with the most restrictive regulation across national, regional, and local levels.