What is a Cybersecurity Policy?
Words have specific meanings, so it is important to provide examples from industry-recognized sources for the proper use of these terms that make up cybersecurity & privacy documentation. A cybersecurity policy is a “high-level statements of management intent from an organization’s executive leadership that are designed to influence decisions and guide the organization to achieve the desired outcomes.”
Policies are enforced by standards and further implemented by procedures to establish actionable and accountable requirements. Policies are a business decision, not a technical one. Technology determines how policies are implemented. Policies usually exist to satisfy an external requirement (e.g., law, regulation and/or contract).
In the context of good cybersecurity documentation, components are hierarchical and build on each other to build a strong governance structure that utilizes an integrated approach to managing requirements. Well-designed documentation is generally comprised of six (6) main parts:
- Policies establish management’s intent;
- Control Objectives identify leading practices (mapped to requirements from laws, regulations and frameworks);
- Standards provide quantifiable requirements;
- Controls identify desired conditions that are expected to be met (requirements from laws, regulations and frameworks);
- Procedures / Control Activities establish how tasks are performed to meet the requirements established in standards and to meet controls; and
- Guidelines are recommended, but not mandatory.