Up until now we have been talking mainly about doing the “Right Things”. Policies is our first topic focused on “Done Right”. The basic idea of policies is that they simplify decision making and encourage consistant orginzational behavior. The idea works something like this:
- Senior management desires the organization to follow a certain objective behavior. This may be because its required by the law or because its something they choose to do voluntarily.
- It is impossible, or impractical, for senior management to make all the decisions that are necessary to achieve this objective.
- Instead, management approves a policy that describes its objective and how they expect the organization to make related decisions and behave in a compliant manner. The policy may also set up a structure or role to which it delegates additional policy making responsibility in relation to this objective.
- The larger the organization, and the more complex the behavior associated with the objective, the more likely it is that there will be several related policies organized under an overview policy.
- At the end of the day, an employee facing a decision on how to behave in a certain situation should be able to look at the policy and decide for him or herself what to do.
Once available, a policy is apt to generate any number of standards, guidelines and procedures that are intended to help realize the objective. These can all be thought of as controls. Thus, a security policy may say that employees will have unique userids (with least priviledged access) and are accountable for how their userids are used. This generates any number of controls from how userids are provisioned, who needs to approve a new role, what tasks are not permitted in the same role, what passwords are acceptable, how often they need to be changed, etc. These controls are then audited to see if the organization’s controls, if followed, will enable the objective to be meet (sufficiency) and how well each control works (effectiveness).