II.C.1     Policies, Standards, and Procedures

Information security policies, standards, and procedures should define the institution's control environment through a governance structure and provide descriptions of required, expected, and prohibited activities. Policies, standards, and procedures guide decisions and activities of users, developers, administrators, and managers and inform those individuals of their information security responsibilities. Policies, standards, and procedures should also specify the mechanisms through which responsibilities can be met. In addition, they should provide guidance on acquiring, designing, implementing, configuring, operating, maintaining, and auditing information systems. Policies, standards, and procedures that address the information security program should describe the roles of the information security department, lines of business, and IT organization in administering the information security program. Information security policies, standards, and procedures form the means by which the objectives of the information security program are achieved. Key attributes that contribute to the success of information security policies, standards, and procedures include the following:

  • Scope that describes the expectations for appropriate actions by affected parties.
  • Sufficient details to guide behavior.
  • Implementation through ordinary means, such as system administration procedures and acceptable use policies.
  • Enforcement through security tools and restrictions.
  • Delineation of the areas of responsibility for users, developers, administrators, and managers.
  • Clear and easily understandable communications to all affected parties.
  • Certification that employees have read and understand the policies.
  • Flexibility to address changes in the environment.
  • Annual board review and approval.


Previous Section
II.C Risk Mitigation
Next Section
II.C.2 Technology Design