What are policies?
Policies are high-level statements of management intent, outlining what must be done and why, without detailing exactly step-by-step how. In general, policies:
- Influence decisions and guide the organization to achieve the desired outcomes; and
- Are enforced by standards and are further implemented by procedures to establish actionable and accountable requirements.
Characteristics of strong policies:
- Endorsed by leadership (C-suite or board);
- Clearly articulate purpose, scope, responsibilities and objectives; and
- Serve as foundational mandates, where supporting cybersecurity standards and procedures provide the means to implement the cybersecurity policies.
Unfortunately, for many IT/cybersecurity professionals, when they refer to a “policy” they really mean “standard.” This common misuse of critical documentation components can create a significant amount of confusion, since they are not interchangeable terms. Standards are subordinate to policies, and they address the granular requirements needed to satisfy a policy. Therefore, a 1-3 sentence policy statement is acceptable to capture a “high-level statement of management intent” for a specific domain.
- It is expected to have multiple policies to address cybersecurity and data privacy needs (e.g., access control, data handling, etc.);
- Policies address the strategic needs of the organization; and
- There is never a justifiable reason to have an exception to a policy. Exceptions should only be at the standard or procedure level.