Security policies are all too often made to be overly-complex and difficult to manage. Done incorrectly, policies can hinder more than they help. If you’re looking to pull together some security policies for your data center or elsewhere inside your organization, here’s a template you can use to help clarify what’s expected of everyone involved:
Introduction: A brief overview of the topic.
Purpose: The high-level strategy and goals of the policy.
Scope: The departments, employees and systems that are covered by the policy.
Roles and responsibilities: Who is involved and what each person must do to support the policy.
Policy statement: The actual policy outlining what can or cannot be done.
Exceptions: The departments, employees and systems that are not covered by the policy.
Procedures: Specific steps on how the policy is being implemented and enforced. Key word here is “specific.”
Compliance: Metrics and other methods used for measuring adherence within the policy.
Sanctions: Consequences for policy violations.
Review and evaluation: Specifics on when the policy must be reviewed for accuracy, applicability and compliance purposes (i.e. HIPAA/HITECH ACT, PCI DSS, state breach notification laws, etc.).
References: Regulatory code sections and information security standards that the policy quotes or references.
Related documents: Other policies, procedures and security standards that relate to the policy.
Revisions: Ongoing changes made to the policy document.
Notes: Anything else that can help with future policy administration.
Kevin Beaver is an independent information security consultant, expert witness, author, and professional speaker with Atlanta-based Principle Logic, LLC and a contributor to the IT Watch Blog. You can reach Kevin through his website at www.principlelogic.com and follow him on Twitter at @kevinbeaver.