12. Security Policy (Regulations), Standards and Procedures.
Policies, Procedures and Standards are essential elements of the Safety Program but, in order to be useful, they must be perfectly in line with the reality and needs of the Company for this reason they are almost always the priority activities of the Fractional CISO in the Company.

A policy (regulation) safety it's a regulatory document which defines the security states necessary for the organization:

the resources to be protected and the adequate level of protection that the security measures must ensure.

The company that defines its own Security Policy formally declares what the needs, the vision, the strategic security objectives and the reference model (framework), assigns responsibility, defines roles, specifies i control requirements, outlines i application processes, indicates i compliance requirements and defines i risk levels acceptable.

The policy engages the Company and all internal and external personnel to observe what they define, outlining the limits between what is allowed and what is not and a dividing line between behaviors desired and deprecated, must foresee sanctions in case of transgression.

Policies are an effective Administrative security control provided that they are actively supported by the management and that they are adequately disclosed among the staff.

There simplicity, the clarity of language and synthesis are indispensable characteristics so that they are read, consulted when necessary and above all understood.

To avoid full-bodied and therefore unmanageable documents, policies normally have a hierarchical structure that starts from general principles and branches out to address specific topics, for example:

General Company Information Security Regulations
-> Regulations for the acceptable use of the company's IT tools

-> Access management regulations.

----> Regulations for the activation and deactivation of utilities for the recruitment and resignation of personnel

-> Regulations for the classification and management of information

-> Regulations for the management of information security incidents

-> Corporate network security regulations

----> Rules for managing firewall rules

----> Regulations for the updating of systems and equipment

-> Regulations for the continuous training of personnel on information security.

The policies must be reviewed regularly, usually at least annually, to ensure that they are always adequate to the real situation of the Company, but since these are documents of the? Regulatory? Type. they usually require little intervention.

The standard and the procedures they are documents that give concreteness to policies, go into specifics by defining?What? (standard) And ?how? (procedures)

Some examples of standard safety:

-> The classification scheme of documents and information

-> The types of cables to be used for ethernet and optical fiber connections

-> The list of allowed USB device models

-> The security configuration of the employees' computers


The procedures they define in detail the activities to be carried out in order to perform a certain process / task correctly, specifying, if necessary, the sequence and the various options.

They are very effective in achieving the repeatability of results and the adequate quality level, facilitate and simplify l?operational insertion of new staff and can be used to demonstrate the Company's level of quality in the execution of processes (external audits).

Some examples of procedures safety:

-> Creation of utilities for hired personnel and assignment of roles and privileges

-> Termination of utilities for resigning personnel

-> Security update of staff computers

-> Edit firewall rules

-> Response management in security incidents

-> Data backup management


It is imperative that procedures and standards are updated frequently to adapt to organizational, technological and regulatory changes and this is explicitly provided for by the Security Program (see 9. The Information Security Program).