Skip to main content

Computer Security Policy: Part 1 - Hierarchy of Management Direction

When writing computer security policy, or any policy for that matter, it is important to remember that there is a hierarchy when it comes to the types of documents that make up policy.

  • Laws & Regulations

  • Policy

  • Standards/Directives

  • Procedure

  • Guideline

Laws & Regulations

These are the compulsory rules, with sanctions, declared by the government for all citizens.

Here in Canada, the laws are passed by elected members of parliament.  In the United States, laws are passed by elected members of Congress, and then ratified by the Senate.  The president signs the law into being.


A policy is "a high level statement of enterprise beliefs, goals, and objectives and the general means of attainment" (Peltier).   Another way to look at it is that "policy is the articulation of the intentions of management".  (Fites/Kratz)

It's a course of action or a principle taken by a group of individuals used to govern themselves.


Standards could be defined as required activities that provide a support structure and direction on how to carry out policies.

"A document, established by consensus and approved by a recognized body, that provides, for common and repeated use, rules, guidelines or characteristics for activities or their results, aimed at the achievement of the optimum degree of order in a given context."  (Standards Council of Canada)


A procedure is a set way to perform a task.  It is a series of instructions to be completed in a particular order or manner.


Guidelines are "general statement designed to achieve policy".  (Peltier)

They could also be classified as a forceful recommendation to achieve a certain goal.


  1. [...] here: Computer Security Policy: Part 1 – Hierarchy of Management … Related Reading: Secrets to Winning at Office Politics: How to Achieve Your Goals and Increase Your [...]


Post a Comment

Popular posts from this blog

Policies and Controls are King in the IT Security world

I came across an article by Roger Grimes over at Infoworld on how security policies and controls are the real power when it comes to IT security. Roger mentions the SANS 20 Critical Security Controls for Effective Cyber Defence , which are a great read for anyone looking at updating or auditing your policies for completeness. The SANS top 20 controls are a must for any organization: Inventory of Authorized and Unauthorized Devices Inventory of Authorized and Unauthorized Software Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers Secure Configurations for Network Devices such as Firewalls, Routers, and Switches Boundary Defense Maintenance, Monitoring, and Analysis of Security Audit Logs Application Software Security Controlled Use of Administrative Privileges Controlled Access Based on the Need to Know Continuous Vulnerability Assessment and Remediation Account Monitoring and Control Malware Defenses Limitation and Control

Error 217 - Error creating product object on Domino 64 bit

I'd like to share something with you.   An error that you'll get if you are trying to use ODBC with Domino 8.5.1 64bit. It starts out with an agent error of Error 217.  The text of the error is "Error creating product object" You can read about it here on the Notes/Domino forum . You can find the solution here as well . I guess I'm now waiting for Domino 8.5.2 for a solution for this.   It would have been nice to have had this in the release notes.  It would have help me greatly.

Reminder: Increase the maximum available memory on your Lotus Notes client JVM today!

Yup, that's right.  Public Service Announcement time. If you haven't increased the maximum memory available to your Lotus Notes JVM yet, what are you waiting for? By default, the Notes JVM only has 256mb of memory available to it.  On a system with 4GB+ of memory, you should be easily able to increase it to 1/4 to 1/3 of the system memory and improve the end user performance. Here's how: Shut down Lotus Notes. In order to make sure that all processes are stopped, run this command:  Start -> Run Type: C:\Program Files (x86)\IBM\Lotus\Notes\nsd.exe -kill Open: C:\Program Files (x86)\IBM\Lotus\Notes\framework\rcp\deploy\ Open the "" file in a text editor like notepad.  You will possibly require Administrator permissions. At the beginning of the file, you will see text surrounded by a lot of pound signs ####. The first ‘property’ after the last # sign is: vmarg.Xmx=-Xmx256m Change 256m to 1024m so that the line reads: vmarg.X