Where the Tier 1 policies are approved by the Information Security Steering Committee, the topic-specific (Tier 2) policies are issued by a single senior manager or director.
As with the Tier 1 policies, Tier 2 policies will address management’s position on relevant issues. It is necessary to interview management to determine what their concerns are and what is it that they want to have occur. The writer will take this information and incorporate it into the following structure.
7.2.1Thesis Statement.
This is similar to the Topic section discussed in the Tier 1 policies, but it also adds more information to support the goals and objectives of the policy and management’s directives. This section will be used to discuss the issue in relevant terms and what conditions are included. If appropriate, it may be useful to specify the goal or justification for the policy. This can be useful in gaining compliance with the policy.
When developing a Workstation Standards document, a topic-specific policy on appropriate software, with supporting standards, would include a discussion of “company-approved” software. This policy would define what is meant by “company- approved” software, which could be “any software not approved, purchased, screened, managed, and owned by the organization.” The policy would also discuss the conditions necessary to have software approved.
Once the terms and conditions have been discussed, the remainder of this section would be used to state management’s position on the issue.
7.2.2Relevance.
The Tier 2 policy also needs to establish to whom the policy applies. In addition to whom, the policy will want to clarify where, how, and when the policy is applicable. Is the policy only enforced when employees are in the work-site campus, or will it extend to off-site activities? It is necessary to identify as many of the conditions and terms as possible.
7.2.3Responsibilities.
The assignment of roles and responsibilities is also included in Tier 2 policies. For example, the policy on company-approved software will have to identify the process to get software approved. This would include the authority (by job title) authorized to grant approval and a reference to where this process is documented.
This is a good time to discuss deviations from policy requirements. I have established a personal standard in that I never discuss how an entity can gain a dispensation from the policy. I do not like to state that “this is the policy and all employees must comply, except those of you who can find a way around the policy.” Most organizations have a process to gain an approved deviation from a policy or standard. This normally requires the petitioner to submit a business case for the deviation, along with alternative controls that would satisfy the spirit of the policy. If some organization or person wants a deviation from the policy, let them discover what the process is.
7.2.4Compliance.
For a Tier 2 policy, it may be appropriate to describe, in some detail, the infractions that are unacceptable, and the consequences of such behavior. Penalties may be explicitly stated and should be consistent with the Tier 1 Employee Discipline Policy. Remember that when an employee is found in a noncompliant situation, it is management and Human Resources that are responsible for disciplining the individual.
7.2.5Supplementary Information.
For any Tier 2 policy, the appropriate individuals in the organization to contact for additional information, guidance, and compliance should be indicated. Typically, the contact information would be specified by job title—not by individual name. It may also be prudent to identify the owner of this policy. This information will provide readers with the appropriate information if they have suggestions on how to improve the policy.
To be effective, a policy requires visibility. Visibility aids implementation of the policy by helping to ensure that it is fully communicated throughout the organization. Management presentations, videos, panel discussions, guest speakers, question-and- answer forums, and newsletters will increase visibility. The organization’s Information Security Awareness Program can effectively notify users of new policies. The New Employee Orientation Program can also be used to familiarize new employees with the organization’s policies.
When introducing policies, it is important to ensure that management’s support is clear, especially in areas where employees feel inundated with directives, regulations, or other requirements. Organization policies are the vehicles used to emphasize management’s commitment to effective internal controls and their expectations for employee support and compliance.
Table 8 is an example of a Tier 2 (topic-specific) policy.
The Senate policy discusses what is allowed and what is not allowed. It identifies where a member can go to get additional information on proper usage. In the section indicated by “Scope and Responsibility,” item 1 establishes the Topic or Thesis Statement
Item 3 assigns Responsibilities and major headings B and C provide Sap-plemental Information. The only area not apparently covered by this policy is Compliance. It also
identifies who is responsible to oversee or monitor activities. Item 1 under Scope and Responsibility discusses the Thesis Statement or Topic. Under the circumstances, it may be appropriate to leave out the compliance or consequences in the policy.
Let us examine another sample Internet Usage Policy (see Table 9). This is an interesting Tier 2 policy, in that it adds a Statement of Compliance section that the Internet user is to read and sign. I have encountered a number of policies that use this tactic. A word of warning about usage and responsibility statements: they must be revisited annually to ensure employees remember that they signed such a document. It is important that this reminder be part of an annual information security awareness program. This will ensure that the desired effect remains active.
A typical Usage and Responsibility Statement might look like the one in Table 10. Another area that requires a Tier 2 policy is the proper use of electronic mail (e-mail). We will examine two existing e-mail policies and compare them to the criteria we have established for these types of policies.
The opening paragraph in Table 11 spells out what this policy is about, what is unacceptable behavior, that activities are subject to monitoring, and that noncompliance will be referred to management. This is a good, strong opening statement. The remainder of the policy supports the other objectives of proper e-mail usage.
Items 1, 2, 8, and 9 discuss compliance issues. Item 4 discusses the relevance issues, and items 4, 5, and 7 handle responsibility concerns. I have only one real problem with this policy and that is the use of the term “guideline.” Over the years, my research into policy writing has led me to believe that in many instances the term “guideline,” when used in a policy like the one above, really means “standard.”