III.C.1 Policies, Standards, and Procedures
In general, a policy is a governing principle that provides the basis for standards and is adopted by the board. The policy is an overall statement of the institution's philosophy or intent. Standards are mandatory criteria that ensure conformity with policy, government regulations, and acceptable levels of control. Procedures are typically documents that describe, in detail, the behavior or processes used to adhere to the criteria mandated by standards. Clearly written and frequently communicated policies can establish clear assignments of duties, help staff coordinate and perform their tasks effectively and consistently, and aid in training staff. Senior management should ensure that policies, standards, and procedures are current, well documented, and integrated with the institution's information security strategy.
Institution management should create, document, maintain, and adhere to policies, standards, and procedures to manage and control the institution's IT risk. The level of detail depends on the complexity of the IT environment but should enable management to monitor the identified risk posture. Review of adherence to documented policies, standards, and procedures may be performed internally, by a risk or compliance function in the institution, or through independent audit. This review often helps to identify problems early so they can be corrected before they become serious.
III.C Risk Mitigation