A security policy is driven by the corporate decisions regarding risk based on the business context. It is the result of determining what is at risk, and how to reduce that risk. The same set of threats and risks may be viewed as less severe by a more risk accepting organization. A security policy is a layers of policies, on top of procedures and practices. It is akin to a pyramid, with the top layer of being corporate security policy. It sets the high-level direction for the organization. It’s scope is organization wide and represents a general statement of the security goals. This corporate policy is both static, and non-technical, being goal driven and not specifying technologies. It provides broad guidance for the organization, leaving more dynamic and technical details to lower policy layers.
Standards take the general goals and restates them in terms of specific technology areas. Below this are practices and procedures, the most technical and dynamic layers of policies. These represent the details needed to implement the overall security policy. Practices are detailed steps to implement the technology. Procedures are steps used to interface the technology with the environment (users, operators, and so on). At this layer the procedures may specify products and specific processes to be used. A standard would state a more specific requirement stating that a single sign-on technology is needed across all applications and systems. The practices and procedures would specify identity management and access control products, as well as processes to populate and manage users.
Security policy lifecycle
The lifecycle is applicable from the corporate level down to lowest level and includes
- Assess risk resulting from the business context for the organization. This assessment provides the business context necessary to develop the security policies.
- Develop security policies: This is the development of the layers of policies (standards, practices and procedures) to put the security in place. These policies are communicated to the organization as needed.
- Implement security policies.: Security policies are put into effect to manage normal operation.
- Manage security policies: Security policies are reviewed for effectiveness, and currency.
- Audit security policies: Audit measures degree of policy adherence and identify any gaps
