The Role of Policy

Policy is really nothing more than a statement of organizational expectations.

Policy can be expressed at many different layers of the organization. At the broadest level, policy is a definition of the organization's objectives and guidelines for how to achieve those objectives. Down into the tactical and operational parts of the organization, policy will get into specific practices and guidelines that will help people and the systems that they use to stay within the framework expressed at higher levels.

The concept of layers of policy should be familiar to us in the U.S. Our highest-level policy is the Constitution. Following that definition of objectives and guidelines is necessary for any subsequent layer. Those layers typically consist of Federal law (the U.S. Code), state law, and down to city ordinances.

Similarly, an organization will have definitions of its objectives and guidelines at its highest levels. Following that will come various layers that deal with how particular business units, departments, and teams will operate.

At the highest levels of the organization will come definition of problems that it is trying to solve in the large. Obligations of the organization will be laid out, providing the organization guidelines on how to balance the interests of shareholders, employees, customers, and the communities in which they work. Following the highest-level policies will come the kinds of policy that identify how to identify and to manage market conditions, operational issues, and risk.

With the organization's definition of its risk management strategies and operational requirements for information will come a framework for defining INFOSEC-specific policy. That is, which kinds of information are critical to the business, and how must each of those types of information be evaluated for confidentiality, integrity, and availability.

High-level INFOSEC policy will help the engineers and administrators designing, implementing, and operating information technology understand what they must do at a very detailed level. It is here that questions like whether direct Internet access is acceptable for particular systems or sets of users, whether packet-filtering routers are sufficient for separating networks, or whether application-layer proxies must be employed. Down at this layer will specific decisions be made about the kinds of authentication mechanisms in place--whether passwords are sufficient, how strong they must be against various attacks, whether token-based devices are necessary, or whether biometric authentication mechanisms must also be employed. In the trenches, the technical staff will understand how to configure the systems put into production.