Security Policies

The four components of security documentation are policies, standards, procedures, and guidelines. Together, these form the complete definition of a mature security program. The Capability Maturity Model (CMM), which measures how robust and repeatable a business process is, is often applied to security programs. The CMM relies heavily on documentation for defining repeatable, optimized processes. As such, any security program considered mature by CMM standards needs to have well-defined policies, procedures, standards, and guidelines.

• Policy is a high-level statement of requirements. A security policy is the primary way in which management’s expectations for security are provided to the builders, installers, maintainers, and users of an organization’s information systems.

Security Policies

A security policy is the essential foundation for an effective and comprehensive security program. A good security policy should be a high-level, brief, formalized statement of the security practices that management expects employees and other stakeholders to follow. A security policy should be concise and easy to understand so that everyone can follow the guidance set forth in it.

In its basic form, a security policy is a document that describes an organization’s security requirements. A security policy specifies what should be done, not how; nor does it specify technologies or specific solutions. The security policy defines a specific set of intentions and conditions that will help protect an organization’s assets and its ability to conduct business. It is important to plan an approach to policy development that is consistent, repeatable, and straightforward.