Policies

(OBJ 5.1)

What are policies?

• In IT governance, policies serve as the backbone, guiding an organization's operations and ensuring compliance with regulations.
• They provide a framework for consistent decision making and behavior.

Acceptable Use Policy (AUP)

• Document that outlines the do's and don'ts for users when interacting with an organization's IT systems and resources
• Defines appropriate and prohibited use of IT systems/resources
• Aims to protect organizations from legal issues and security threats
• Example:
  • An AUP might prohibit users from visiting potentially dangerous websites, downloading unauthorized software, or using company resources for personal gain
• Maintains a safe and productive IT environment

Information Security Policies

• Cornerstone of an organization's security Posture
• Outlines how an organization protects its information assets from threats, both internal and external
• These policies cover a range of areas
  • Data Classification
  • Access Control
  • Encryption
  • Physical Security
• Ensures confidentiality, integrity, and availability of data
• Example:
  • It might specify that sensitive data must be encrypted both in transit and at rest, and only authorized personnel should have access to it.

Business Continuity Policy

• Ensures operations continue during and after disruptions or disasters
• Focuses on critical operation continuation and quick recovery after disruption
• Includes strategies for power outages, hardware failures, and natural disasters
• Organization can mitigate the impact of disruptions ensure their survival.

Disaster Recovery Policy

• Closely related to the Business Continuity Policy
• Focuses on IT systems and data recovery after disasters
• Outlines data backup, restoration, hardware/software recovery, and alternative locations
• Example:
  • It might specify that data should be regularly backed up to a secure offsite location and tested regularly to ensure it can be restored if needed.

Incident Response Policy

• A plan for handling security incidents
• Addresses detection, reporting, assessment, response, and learning from security incidents
• Specifies incident notification, containment, investigation, and prevention steps in security brach events
• Minimizes damage and downtime during incidents by responding quickly and effectively

Software Development Lifecycle (SDLC) Policy

• Guides software development stages from requirements to maintenance
  • Initial requirements gathering
  • Design
  • Coding
  • Testing
  • Deployment
  • Maintenance
• Includes secure coding practices, code reviews, and testing standards
• Ensures high-quality, secure software meeting user needs

Change Management Policy

• Governs handling of IT system/process changes
• Ensures controlled, coordinated change implementation to minimize disruptions
• Covers change request, approval, implementation, and review processes
• By managing changes effectively, organizations can ensure that their IT systems remain stable, reliable, and secure.