Beberapa tipe Policy
The Executive View
Most textbooks on policy development focus on the technical side of matters. For example, some go to great lengths about all the details of access control. In doing so they achieve two ends:
- Firstly, and most obviously, this technology-focused approach results in a mass of technical details. This often confuses what is policy, what is standards and what is procedure.
- Secondly, resulting from this, the overwhelming consequence is that the policies are obtuse and incomprehensible to much of the organization, not least of all the managers, the executive and the board.
This problem usually comes about because the task of writing policy has been limited to that of IT security and has been therefore delegated to the IT department and written by a technician who does not have a crucial role in some other project. Said technician is unlikely to have good writing skills or the necessary breath of experience. But most importantly of all the technician will not have the viewpoint that addresses the whole of the organization from a business perspective.
Considered in this light, the resulting quality of many published and commercially available policies and book on policy is not surprising. The idea that 1,400 “Policies” is somehow a better bargin than a mere 1,100 fails to address what POLICY is really about by confusing policy with controls, standards and procedures.
The section “%”The Good and the Bad":/policy/the-good-and-the-bad/%" gives an illustration of this gulf. The example of the “good” policy is:
"Access to Corporate Information System resources will be restricted to authorize users in accordance with their roles. Users will uniquely identify themselves and be accountable for the actions carried out under this identification"
As a policy statement, this has many advantages, the greatest of which are its clarity and generality. It can be understood by everyone from the Board of Drectors to the janitor. It is a general statement that can be applied in many specific circumstances.
The Functional View
This structure of policy is very common when written from a technical point of view or by technical staff. As such it concentrates on the functioning of the technical aspects of the organization rather than on the business aspects. One of the side-effects of a technical viewpoint is that it may be difficult to communicate to non-technical people.
The Corporate View
This view can take many forms depending on the nature of the organization – Non-profit, service, sales, manufacturing, R&D. It focuses on the management of the organization – hence the “Mission Statement” prominently displayed.
In the same way that the functional view is optimized for a technical point of view, a corporate view may appear to lack the “slots” for the technical details.
The Academic View
A information security policy for an academic institution may vary even more than for a corporate one. Academic institutions place great emphasis on freedom of communicaiton and thought, but at the same time, by their very nature tend to be “hot-beds” of experimental learning that may overflow into behaviour that is detrimental to the other users or the world at large.
This view is included to show the scope that a policy may have to cover.
Senior Management Statement of Policy
This is often the first policy to be formulated.
- It acknowledges the importance of the information and information processes resources to the business.
- It is a statement of support for good practice in information handling, security and regulatory compliance.
- It is a commitment of support to authorize and manage the formulation and enforcement of lower level policy, standards, guidelines and procedures.
This can be a very short statement, but it is very important as it gives validity and mandate to the policy process. Without such a document, other managers and supervisors can "opt-out", claim to be exempt, and otherwise drag their heels.
These are policies that the organization is require to implement to meet compliance with governmental or legal requirements.
Such policies have two primary objectives:
- To ensure that the organization is following the mandated baseline practices of operation and/or reporting that apply to its industry.
- To give the directors and executives confidence that their fudicial obligations are being met.
This kind of policy focuses on the decisions management has taken that pertain to a particular system. Although we tend to think of a "system" as a piece of information processing hardware and software, the system could be an organization unit, division or even a particular business operation and its processes. This kind of policy is often and "operating manual" for that system.
Program or Project Policy
There are also ‘policies’ that are present in many organization but do not follow the strict definitions that have been discussed here:
As the name suggests, these are policies that give guidance.
Following them is strongly suggested and the consequences of failing to follow them may be severe.
These exist purely to inform the reader.