Sample Policy Development

In Chapter 11 we used CMM Level 4, Managed and Measurable, for developing se-curity objectives and controls. The same fifteen stated attributes and characteristics can also provide the basis for policy development in support of the strategy. To demonstrate policy development, a sample policy for each of the fifteen attributes might be as follows.

CMM 1. The assessment of risk is a standard procedure, and exceptions to follow-ing the procedure would be noticed by security management.

Policy:

Risk to XYZ Corporation shall be assessed using a standardized approach on a reg-ular basis, or as changes if circumstances warrant.

CMM 2. Information security risk management is a defined management function with senior-level responsibility.

Policy:

Roles and responsibilities for managing risk shall be defined for XYZ Corporation under the direction of an executive-level individual reporting to the Chief Executive.

CMM 3. Senior management and information security management have deter-mined the levels of risk that the organization will tolerate and have standard mea-sures for risk/return ratios.

Policy:

Information security risks shall be managed to defined levels consistent with classi-fication levels and controlled by appropriate security baselines set forth in the relat-ed XYZ Corporation Information Security Standards. Acceptable levels of risk shall be defined in terms of maximum acceptable impacts and reviewed and ap-proved by senior management no less than annually or more often as changing cir-cumstances dictate.

CMM 4. Responsibilities for information security are clearly assigned, managed and enforced.

Policy:

Roles and responsibilities of XYZ Corporation shall be unambiguously defined and all required security functions formally assigned to ensure accountability. Accept-able performance shall be ensured by appropriate monitoring and metrics.

CMM 5. Information security risk and impact analysis is consistently performed.

Policy:

Risk and impact analysis shall be required for all critical or sensitive corporate ac-tivities and key controls on a periodic basis and as a required part of new intiatives and change management.

CMM 6. Security policies and practices are completed with specific security base-lines.

Policy:

Comprehensive policies and standards shall be developed, implemented, main-tained, and enforced utilizing appropriate processes to review, monitor, and mea-sure compliance.

CMM 7. Security awareness briefings have become mandatory.

Policy:

All personnel shall be made aware of relevant policies and standards annually or as changes warrant. Proficiency and competence shall be assessed on a regular basis and appropriate training provided as needed to ensure adequate proficiency levels.

CMM 8. User identification, authentication and authorization are standardized.

Policy:

Physical and electronic access to XYZ Corporation information assets must be con-trolled in a manner that effectively precludes the compromise of confidentiality, in-tegrity, and availability.

CMM 9. Security certification of staff is established.

Policy:

Individuals with access to information assets belonging to XYZ Corporation and its Affiliates must undergo a background investigation, sign a confidentiality agree-ment, and have demonstrated proficiency and competence in their areas of responsi-bility.

CMM 10. Intrusion testing is a standard and formalized process leading to im-provements.

Policy:

All technical service providers, whether internal or external, to XYZ Corporation and its Affiliates must construct, manage, operate, and maintain systems in a man-ner that ensures the availability, integrity, and confidentiality of information assets owned by XYZ Corporation and its Affiliates.

CMM 11. Cost–benefit analyses supporting the implementation of security mea-sures are increasingly being utilized.

Policy:

Key security control objectives and their linkage to business objectives shall be for-mally defined and be aligned with the control documentation and requirements of ISO 27001. Controls must address defined control objectives and be implemented, tested, managed, and maintained to assure the management of risk to acceptable, defined levels, and processes must be implemented to provide continuous monitor-ing and relevant metrics on the effectiveness of controls, and must provide adequate warning of control failure.

CMM 12. Information security processes are coordinated with the overall organi-zation security function.

Policy:

A steering committee comprised of senior representatives of all significant organi-zational departments and divisions shall be formed with a charter and scope to en-sure that all assurance functions are integrated, and that risks are identified, priori-tized, and managed appropriately.

CMM 13. Information security reporting is linked to business objectives.

Policy:

Information security objectives for XYZ Corporation shall be defined and a strategy developed and maintained that provides direct linkages to organizational strategies and objectives. A governance structure and framework shall be developed that de-scribes the combination of technical, operational, management, and physical securi-ty controls in relation to the organization’s technical and operational environments.

CMM 14. Responsibilities and standards for continuous service are enforced.

Policy:

Information systems infrastructure shall be managed to ensure that system configu-rations are in conformance with published security standards and security base lines are maintained. Change management shall be a formal process encompassing all changes capable of adversely impacting security and a summary of changes, poten-tial risks and impacts, and applied risk mitigation measures shall be supplied to Corporate Security on a timely basis.

CMM 15. System redundancy practices, including use of high-availability compo-nents, are consistently deployed.

Policy:

All technical service providers, whether internal or external, to XYZ Corporation and its Affiliates must construct, manage, operate, and maintain systems in a man-ner that ensures the availability, integrity, and confidentiality of information assets owned by XYZ Corporation and its Affiliates.