This snapshot taken on 04/03/2010, shows web content selected for preservation by The National Archives. External links, forms and search boxes may not work in archived websites.

We're creating a single website for everything to do with BIS but, while we do that, you'll find information in three places. > Find what you're looking for

 
 

Policy and Standards

Introduction

Sound policies (often referred to as Corporate Governance) are the bedrock on which information security is built.

Their role is to provide focus and direction, and act as the 'glue' that binds all aspects of information security management together. On their own, they provide very little. They need support, including:

  • Management procedures
  • Technical specifications and tools
  • Appropriate education and awareness initiatives

You may decide to create your own policies from first principles, but this is rather like reinventing the wheel.

Policies are normally based on published standards  which provide a specification for an Information Security Management System (ISMS).

Don't be intimidated by the concept of policies. They need not be tortuous legalese. They are a statement of intent by your company's managers. A straightforward policy might be:

  • We will work inside the law 
  • We will ensure that the company and its stakeholders are protected from harm by information loss or damage through appropriate controls
  • We will endeavour to match best practice in information security by meeting recognised standards

The terminology surrounding policy and standards can be daunting, but it needn't be. See Policy & Standards Terminology below for a quick checklist.

How the policy is implemented  can be more complex and needs due consideration.

A sample template for an Information Security Policy is contained in the BERR publication "Information Security: A Business Manager's Guide". Also, our "How To Write an Information Security Policy" Guide may also be useful.

Terminology

There are many terms used to describe different governance publications. In the USA, for example, it is common to use the term 'policy' for documents that are often described in the UK as 'standards'. This can lead to misunderstanding.

Models used in this section refer to the following terms:

Corporate Policy

A corporate policy sets out an organisation's intentions and principles regarding information security.

Corporate Policy must:

  • Be clear and unambiguous
  • Include statements covering:
    • Legal and Regulatory obligations
    • Responsibilities (Ownership)
  • Strategic approach
    • Adherence to standards
    • Use of common methods
  • Approach to Risk Management
  • Scope
    • Business Processes
    • Technology
    • Physical Security
  • Action in the event of Policy Breach

Specific Policies

Specific policies change more rapidly than Corporate policies. As they are more detailed and specific, they need more regular review. Suggested Specific Policies include:

  • Information Classification
  • Access Control
  • Operations
  • Incident Management
  • Physical Security
  • Human Resources
  • Third Party Access
  • Business Continuity Management

Standards

Security standards provide specific guidance to achieve security. They are used as a benchmark for audit and are derived from:

  • Industry best practice
  • Experience
  • Business drivers
  • Internal testing
  • Must be reviewed regularly to ensure new releases and vulnerabilities are addressed

Example standards include:

  • UNIX Server builds
  • Firewall configurations
  • Connectivity protocols

Procedures

Any qualified employee or contractor should understand security procedures. The procedures should be:

  • Clear
  • Unambiguous
  • Up to date
  • Tested
  • Documented

Example procedures include:

  • User ID addition / removal
  • Server backup
  • Incident management

© Crown copyright2010