Policies, Standards, Guidelines & Procedures
Part of the management of any security programme is determining and defining how security will be maintained in the organisation. Ensuring proportionate policies, standards, guidelines and procedures are in place that are understood and consistently enforced is critical in any insider threat programme. They should provide clarity to the reader when dealing with accountability issues or activities that are of importance to the organisation. Knowing where a policy, standard, guideline or procedure is required should be defined by the role based risk assessment process. A key stakeholder in producing effective policies will be the organisation's legal team.
- Policies: Intended to be a set of overarching principles, they do not have to be long or complicated.
- Standards: Outline a set of minimum requirements which must be met when commissioning a new asset. For example, the minimum requirements for locking down the Windows operating system; or a standard used to assess eligibility for security clearance.
- Guidelines: Intended to outline best practice - they are not mandatory, but help employees follow the rules while allowing for flexibility and common sense in different scenarios.
- Procedures: These are how the policies should be enacted in the organisation. They should enable and encourage employees to fulfil a task securely. They should be clear, logical and meet legal requirements.
All of the above should seek to maintain operational effectiveness, whilst doing so in a secure manner.