action  if  required  and  have  a  formal  process  for  exception
            handling.
            A policy should always indicate the scope of the plan, including
            who it applies to - which should, of course, include employees,
            temporary employees, contractors, third party business partners,
            and managers.

            Having a policy that sits on a shelf is a common problem. The
            plan must be communicated to all staff and other relevant parties
            to be effective. The program should be available for reference and
            a crucial part of awareness sessions and annual job performance
            reviews.
            We casually use the word 'policy' as if it is one document, but
            there  are  many  policies  for  an  organization.  The  core  policy
            document is often short, high-level, and rarely subject to change.
            However,  the  core  policy  is  implemented  and  supported  by
            numerous functional policies that address individual issues and
            technologies.  Examples  of  these  operational  policies  can  be  a
            remote access policy, acceptable use policy (describing fair use
            of  the  internet  or  other  organizational  resources),  incident
            handling policy, anti-virus policy, etc.



            The Interpretation and Implementation of Policy
            A policy document, even when signed and endorsed by senior
            management, is still only a collection of words and phrases on a
            sheet of paper. A policy is a foundation for the security program,
            but it is not enough. The policy must be interpreted into plans
            and strategies and implemented into action. The policy is
            achieved through the use of Procedures, Standards, Baselines,
            and Guidelines.