Operational and Organizational Security: Policies and Disaster Recovery• Chapter 12  673

                 Policies and Procedures


                 In society, there are laws that govern proper conduct, and law enforcement and
                 judicial systems to deal with problems as they arise. In organizations, policies are
                 used to outline rules and expectations, while procedures outline courses of action
                 to deal with problems.These policies and procedures allow everyone to understand
                 the organization’s views and values on specific issues, and what will occur if they
                 are not followed.
                    A policy is used to address concerns and identify risks. For example, a policy
                 may be created to deal with physical security to an office building and the poten-
                 tial threat of unauthorized access. It may state that members of the public are per-
                 mitted in the lobby and front desk area, but points beyond this are for employees
                 only.Through the policy, an issue that is pertinent to the organization is explained
                 and dealt with.
                    Procedures consist of a series of steps that inform someone how to perform a
                 task and/or deal with a problem. For example, a procedure instructs someone on
                 how to restore backed up data to a server that crashed. By following these instruc-
                 tions, the person can effectively deal with the crisis. In other cases, procedures show
                 how to avoid problems in the first place. For example, a procedure dealing with
                 physical security might state how a visitor should be signed into a building and
                 escorted to a particular department.Through such a procedure, problems associated
                 with people having free access to secure areas (such as a server room) can be
                 avoided.
                    Creating policies and procedures may seem a daunting task, but it is easier
                 when you realize that the document answers the following questions: who, what,
                 when, where, why, and how?


                      ■  Who and where? A policy needs to specify which persons or depart-
                         ments are affected. In many cases, it may apply to all employees, while in
                         other situations it may be directed toward certain individuals in limited
                         circumstances. For example, if everyone has access to the Internet, the
                         policy outlining this access and rules dealing with it apply to everyone. In
                         addition, the policy must specify who is responsible for dealing with prob-
                         lems and violations of the policy. In the case of an Internet policy, the
                         Information Technology (IT) staff may be assigned the task of controlling
                         access and maintaining equipment, and department managers or other
                         decision makers would be responsible for deciding a violator’s punishment.





                                                                              www.syngress.com