A policy (regulation) safety it's a regulatory document which defines the security states necessary for the organization:
the resources to be protected and the adequate level of protection that the security measures must ensure.
The company that defines its own Security Policy formally declares what the needs, the vision, the strategic security objectives and the reference model (framework), assigns responsibility, defines roles, specifies i control requirements, outlines i application processes, indicates i compliance requirements and defines i risk levels acceptable.
The policy engages the Company and all internal and external personnel to observe what they define, outlining the limits between what is allowed and what is not and a dividing line between behaviors desired and deprecated, must foresee sanctions in case of transgression.
Policies are an effective Administrative security control provided that they are actively supported by the management and that they are adequately disclosed among the staff.
There simplicity, the clarity of language and synthesis are indispensable characteristics so that they are read, consulted when necessary and above all understood.
To avoid full-bodied and therefore unmanageable documents, policies normally have a hierarchical structure that starts from general principles and branches out to address specific topics, for example:
General Company Information Security Regulations
The policies must be reviewed regularly, usually at least annually, to ensure that they are always adequate to the real situation of the Company, but since these are documents of the? Regulatory? Type. they usually require little intervention.
The standard and the procedures they are documents that give concreteness to policies, go into specifics by defining?What? (standard) And ?how? (procedures)
Some examples of standard safety:
The procedures they define in detail the activities to be carried out in order to perform a certain process / task correctly, specifying, if necessary, the sequence and the various options.
They are very effective in achieving the repeatability of results and the adequate quality level, facilitate and simplify l?operational insertion of new staff and can be used to demonstrate the Company's level of quality in the execution of processes (external audits).
Some examples of procedures safety:
It is imperative that procedures and standards are updated frequently to adapt to organizational, technological and regulatory changes and this is explicitly provided for by the Security Program (see 9. The Information Security Program).