Information Security Policy Frameworks

This post provides resources to create Information Security policies, standards, procedures and guidelines.

Documenting IT Security Policy Frameworks

IT Security Policy Framework Document Types

IT security policy framework documents:

• Policy
• Standard
• Procedure
• Guideline
• Baseline

Policy

Policies would be like the constitution, while procedures are the laws.

Policy lifecycle management is a process for creating, maintaining, and retiring policies and procedures in an organization.

Compliance with policies is mandatory.

Policies are usually approved by the CEO or a similarly high-level executive.

Policies would be like the constitution, while standards or procedures are the laws.

It should contain at least:

• Importance of cybersecurity to the organization
• Require that all staff protect information security principles (CIA)
• Ownership of data created and/or process by the organization
• Designation of the executive responsible of information security (such as CISO) or any other individual
• Delegation of authority to executive responsible to create the other IT security policy framework documents (standards, procedures and guidelines)

Common policies:

• information security policy
• Acceptable use policy
• Data owneship policy
• Data retention policy
• Account mangaement policy
• Password policy

You can read more about templates on IT security policy framework on this post.

Standard

A standard provides a framework of general solutions to be used (e.g., applications and tools) across the organization.

They may specify in more detail that is outlined by the policies.

It may include:

• Applications and tools for a given need
• Configuration settings for a given IT asset
• Controls to be applied in given circumstances

Standards are usually mandatory.

They are approved by a lower level than a policy, for example, the responsible of IT security.

Procedure

Procedures are detailed, step-by-step repeatable processes that individuals and organizations follow in specific circumstances.

They may specify in more detail that is outlined by the policies.

Procedures are usually mandatory.

They are approved by a lower level than a policy, for example, the responsible of IT security.

Guideline

Guidelines contains helpful information to follow procedures.

Guidelines are usually optional.

They are approved by a lower level than a policy, for example, the responsible of IT security.

Baseline

A baseline is a minimum reference that should be considered and followed.

Baseline minimums are mandatory, though they may be exceeded.

Exceptions to mandatory IT security framework policy Documents

For mandatory documents (such as policies, standards and procedures) exceptions may happen. An exception process should be defined and be covered in these documents.

The exception request should include:

• Reference to the requirement that needs an exception
• Reason for noncompliance with the requirement
• Business and/or technical justification for the exception
• Scope and duration of the exception
• Risks associated with the exception
• Description of compensating controls

A reference could be the state of Washington exception process.

According to the PCI DSS, compensatory controls must do the following:

• meet the intent and rigor of the original stated requirement;
• provide a similar level of defense as the original PCI DSS requirement, such that the compensating control sufficiently offsets the risk that the original PCI DSS requirement was designed to defend against;
• be “above and beyond” other PCI DSS requirements (simply being in compliance with other PCI DSS requirements is not a compensating control);
• address the additional risk imposed by not adhering to the PCI DSS requirement; and
• address the requirement currently and in the future; a compensating control cannot address a requirement that was missed in the past (for example, where performance of a task was required two quarters ago, but that task was not performed).

Templates for Information Security Policy Frameworks

Some templates for Information Security Policies and Procedures:

• SANS Information Policy Templates

In addition to these policy templates, the following sources can be also used as references:

• Information security frameworks
• Information security controls

You can find a list of IS frameworks (like ISO/IEC 27001 or NIST Cyberframework) on this post.

You can find a list of information security controls (like ISO/IEC 27002 or NIST SP 800-53 ) on this post.

SANS Information Policy Templates

SANS Information Policy Templates official web

Tools to generate Information Security Policies

Tools to generate IT security policies:

• JupiterOne’s Security Policy Templates

JupiterOne’s Security Policy Templates

JupiterOne’s Security Policy Templates code repository

You might also be interested in…

• Information Security Governance
• Introduction to IT Security

External References

• IT Security Policy Framework
  • M. Chapple, D. Seidl; “CCSP Official Study Guide Third Edition”, section “Security Policy Framework“, pp. 298-304; Sybex, 2023