Up until now we have been talking mainly about doing the “Right Things”.  Policies is our first topic focused on “Done Right”.  The basic idea of policies is that they simplify decision making and encourage consistant orginzational behavior.  The idea works something like this:

1. Senior management desires the organization to follow a certain objective behavior.
2. It is impossibile, or impractical, for senior management to make all the decisions that are necessary to acheive this objective.
3. Instead, management approves a policy that describes its objective and how they expect the organization to make related decisions and behave in a  compliant manner.  The policy may also set up a structure or role to which it delegates additional policy making responsibility in relation to this objective.
4. The larger the organization, and the more complex the behavoir associated with the objective, the more likely it is that there will be several related policies organized under an overview policy.
5. At the end of the day, an employee facing a decision on how to behave in a certain situation should be able to look at the policy and decide for him or her self what to do.

Once available, a policy is apt to generate any number of standards, guidelines and procedures that are intended to help realize the objective.  These can all be thought of as controls.  Thus, a security policy may say that employees will have unque userids (with least priviledge access)  and are accountable for how their userids are used.  This generates any number of controls from how userids are provisioned, who needs to approve a new role,  what tasks are not permitted in the same role, what passwords are acceptable, how often they need to be changed, etc.  These controls are then audited to see how the organization behaves in relation to the objective (sufficiency) and how well each control works (effectiveness).

Anthony and Matt both pointed out that the list of topics in my weekly post was different than the one in your syllabus.  Please follow the syllabus although I have fixed the post also.

Readings

There will be no reading questions this week.

Policy Project

Work with yourteam and pick one of the security topics listed in the  syllabus that interests you.  Use the readings as a guide to writing your policy statement.  Then prepare a 5 minute or less video that introduces your new policy to your hypothetical company.

The possible topics are:

• Acceptable Use Policy
• Social Security Number Policy
• Security Response Policy
• Remote Access Policy
• Web Application Security Policy
• Work Station Encryption Policy