7.1.1Topic.
The topic portion of the policy defines what the policy is specifically going to address. Because the attention span of readers is limited, the topic must appear quickly, for example, in the opening or topic sentence. I normally suggest (note it is a guideline, not a standard) that the topic sentence also include a “hook.” That is, the why me as a reader should continue to read this policy. So, in the opening sentence, we want to convey two important elements: (1) the topic (it should have something to do with the title of the policy), and (2) the hook (why the reader should continue to read the policy).
An opening topic sentence might read as follows: “Information created while employed by the company is the property of the company and must be properly protected.”
7.1.2Scope.
The scope can be used to broaden or narrow either the topic or the audience. In an information security policy statement, we could say that “information is an asset and the property of the company and all employees are responsible for protecting that asset.” In this sentence we have broadened the audience to include all employees. We can also say something like, “Business information is an essential asset of the Company. This is true of all business information within the Company, regardless of how it is created, distributed, or stored and whether it is typed, handwritten, printed, filmed, computer generated, or spoken.” Here, the writer broadened the topic to include all types of information assets.
Another example of broadening the scope might be as follows: “Information of The Company, its subsidiaries and affiliates in electronic form, whether being transmitted, or stored, is a key asset of the Company and must be protected according to its sensitivity, criticality, and value.” Here, topic subject is narrowed to “electronic form.” However, the audience is broadened to include “subsidiaries and affiliates.”
We can also use the scope concept to narrow the topic or audience. In an Employment Agreement policy, the audience is restricted to a specific group such as the following: • The parties to this Agreement dated (specify) are (Name of Company), a (specify State
and type of company) (the “Company”), and (Name of Employee) (the “Executive”). • The Company wishes to employ the Executive, and the Executive wishes to accept
employment with the Company, on the terms and subject to the conditions set forth in this Agreement. It is therefore agreed as follows:
• Here, the policy is restricted to Executives and will then go on to discuss what can and cannot be done by the executives. A sample employment agreement policy is contained in the section entitled “Tier 2 Policy Examples.”
7.1.3 Responsibilities.
Typically, this section of the policy identifies who is responsible for what. When writing, it is better to identify the “who” by job title and not by name. Here again, the Office Administrator’s Reference Guide can be of great assistance. The policy will want to identify what is expected from each of the stakeholders.
7.1.4 Compliance or Consequences.
When business units or employees are found to be in a noncompliant situation, the policy must spell out the consequences of these actions. For business units or departments, if they are found in noncompliance, they are generally subject to an audit item and will have to prepare a formal compliance response.
For an employee, being found in noncompliance with a company policy will mean they are in violation of the organization’s Employee Standards of Conduct and will be subject to consequences described in the Employee Discipline Policy.
7.1.5Sample Information Security Global Policies.
We now examine sample information security policies and then critique them. The written policy should clear up confusion, not generate new problems. When preparing a document for a specific audience, remember that the writer will not have the opportunity to sit down with each reader and explain what each item or sentence means. The writer will not be able to tell every person how the policy will impact the reader’s daily assignments. When writing a policy, know your audience. For a global (Tier 1) policy, the audience is the employee base.
Using the general employee population as a base, let us examine a few policies and see if they have the four key elements we should be looking for. We want to see if these policies have:
• A topic (including a topic and a “hook”)
• Scope (whether it broadens or narrows the topic or the audience, or both) • Responsibilities (based on job titles)
• Compliance or consequences
Table 4 addresses the checklist as follows:
• Topic: “Information is a valuable corporate asset…. As such, steps will be taken to
protect information….”
• Responsibilities: “The protection of these assets is a basic management responsibility.”
• Scope: “Ensuring that all employees understand their obligation to protect these assets.” Compliance: “Noting variance from established security practice and for initiating
corrective action.” This policy is a good start. However, the topic is vague and that is not acceptable. The most important goal of any writing is to quickly identify the topic. Without the title, we have only a vague idea of where the document is leading us.
When the policy establishes responsibilities, it will work best if you use an active verb. In this example, the writer diminishes the verb and makes it passive by adding the gerund “ing” to the verbs “identify,” “ensure,” and “note.” Try to avoid the passive whenever possible.