Policies

a policy is a strictly enforceable ruleset that determines how a task should be completed.

establish the rules that frame:
- decision-making processes
- risk mitigation
- fairness
- and transparency

Governance describes the processes used to direct and control an organization, including the processes for decision-making and risk management.

Compliance describes how well an organization adheres to regulations, policies, standards, and laws relevant to its operation.

policies define the rules and procedures for maintaining compliance and outline the consequences of noncompliance

Common Organizational Policies

Acceptable Use Policy (AUP)
Information Security Policy
- document or series of documents that are backed by senior management and that detail requirements for protecting technology and information assets from threats and misuse
Business Continuity & Continuity of Operations Plans (COOP)
- focus on the critical processes that must remain operational during and after a substantial disruption like a natural disaster or a cyber-attack
Disaster Recovery
- detail the steps required to recover from a catastrophic event
- goal is to restore operations as quickly and efficiently as possible
Incident Response
- outlines the processes to be followed after a security breach, or cyberattack occurs
Software Development Lifecycle (SDLC)
- govern software development within an organization
- provide a structured plan detailing the stages of development from initial requirement analysis to maintenance after deployment
Change Management
- outline how changes to IT systems and software are requested, reviewed, approved, and implemented, including all documentation requirements
Guidelines
- Best practice recommendations and advice for configuration items where detailed, strictly enforceable policies and standards are impractical
- more flexible than policies
- allow greater discretion for the individuals implementing them
Personnel Policy