Tuesday, 31 May 2011

Computer Security Policy: Part 1 - Hierarchy of Management Direction

When writing computer security policy, or any policy for that matter, it is important to remember that there is a hierarchy when it comes to the types of documents that make up policy.

  • Laws & Regulations

  • Policy

  • Standards/Directives

  • Procedure

  • Guideline


Laws & Regulations

These are the compulsory rules, with sanctions, declared by the government for all citizens.

Here in Canada, the laws are passed by elected members of parliament.  In the United States, laws are passed by elected members of Congress, and then ratified by the Senate.  The president signs the law into being.

Policy

A policy is "a high level statement of enterprise beliefs, goals, and objectives and the general means of attainment" (Peltier).   Another way to look at it is that "policy is the articulation of the intentions of management".  (Fites/Kratz)

It's a course of action or a principle taken by a group of individuals used to govern themselves.

Standards

Standards could be defined as required activities that provide a support structure and direction on how to carry out policies.

"A document, established by consensus and approved by a recognized body, that provides, for common and repeated use, rules, guidelines or characteristics for activities or their results, aimed at the achievement of the optimum degree of order in a given context."  (Standards Council of Canada)

Procedures

A procedure is a set way to perform a task.  It is a series of instructions to be completed in a particular order or manner.

Guidelines

Guidelines are "general statement designed to achieve policy".  (Peltier)

They could also be classified as a forceful recommendation to achieve a certain goal.