Writing Tier-1 Policy statements

Senior management is responsible for issuing Global (Tier-1) Policies to establish an organization's direction in protecting information assets. In previous tips, I provided an overview of the various Tier-1 Security Policies. Here, I describe the written components that make up each policy statement.

An information security policy will define the intent of management and its sponsoring body with regard to protecting the information assets of the organization. It will include the scope of the program; that is, where it will reach and what information is included in this policy. Finally, the policy will establish who is responsible for what.

• Read the first installment of Tom Peltier's Tier-1 Policies overview, which covers Employment and Standards of Conduct Policies.
• In the second installment of Tom's Tier-1 Policies overview, learn about Conflict-of-Interest, Performance Management, Employee Discipline and Information Security Policies.
• Tom examines Corporate Communications, Workplace Security and Business Continuity Plan Policies in the third installment of this series.
• In the fourth installment, Tom provides an overview of Procurement and Contracts, Records Management and Asset Classification Policies.

Global (Tier-1) Policies typically include the following four components:

• Topic -- The topic portion of the policy defines what specifically the policy is going to address. Because the attention span of readers is limited, the topic must appear quickly, say in the opening or topic sentence. I normally suggest as a guideline that the topic sentence also include a hook; that is, why readers should continue to read the policy. So in the opening sentence we want to convey two important elements: 1) the topic (it should have something to do with the title of the policy); and 2) the hook, why the reader should continue to read the policy.

  An opening topic sentence might read as follows: "Information created while employed by the company is the property of the company and must be properly protected."

• Scope -- The scope can be used to broaden or narrow either the topic or the audience. In an information security policy statement we could say "Information is an asset and the property of the company and all employees are responsible for protecting that asset." In this sentence we have broadened the audience to include all employees. We can also say something like "Business information is an essential asset of the Company. This is true of all business information within the Company regardless of how it is created, distributed or stored and whether it is typed, handwritten, printed, filmed, computer-generated or spoken." Here the writer broadened the topic to include all types of information assets.

• Responsibilities -- Typically, this section of the policy will identify who is responsible for what. When writing, it is better to identify the "who" by job title and not by name. The Office Administrator's Reference Guide can be of great assistance. The policy should identify what is expected from each of the stakeholders.

• Compliance or consequences -- The policy must spell out the consequences of non-compliance. If a business unit or department is found to be in non-compliance, they are generally subject to an audit item and will have to prepare a formal compliance response.

  For an employee, being found in non-compliance with a company policy will mean they are in violation of the organization's Employee Standards of Conduct and will be subject to consequences described in the Employee Discipline Policy.

Final thoughts

To be successful, a policy must be focused on a single subject and identify who is responsible for what activities. By including these four elements, the writer will be able to create an effective and efficient policy statement.

About the author
Tom Peltier has been an information security professional for more than twenty-five years. He has written books on information security policies and contributed to several books on CISSP preparation, and computer and data security.