Page 690 - StudyBook.pdf
P. 690

674    Chapter 12 • Operational and Organizational Security: Policies and Disaster Recovery


                  ■   What? The policy needs to provide details of what is being addressed and
                      the specifics relating to it. For example, an Internet policy may contain
                      rules dealing with e-mail use, guidelines on Internet use, programs that are
                      prohibited for use during work hours (such as Web-based games), and Web
                      sites that are considered improper to use. In many cases, this will be the
                      bulk of the policy.

                  ■   When? At what time does this policy come into effect? You will need to
                      specify whether the policy should be followed immediately, or if it will be
                      enforced after a specific date. In some cases, policies have an effective date
                      and an expiration date.

                  ■   Why? This explains the purpose of the policy, and what an organization
                      hopes to achieve from it.This may include a brief background on issues
                      that brought about the need for the policy.

                  ■   How? This is the procedure needed to make a policy work.When a policy
                      includes procedures, it specifies how the policy is to be implemented, exe-
                      cuted, and enforced. If additional procedures exist, these documents should
                      also be referenced in the policy document so that readers know about
                      their existence and where to find them.

                 When you are writing policies, you are writing for an audience. Policies created
             by a company need to be relevant and understandable to those affected by it. In
             many cases, this requires using non-technical terms to describe technology, explain
             requirements, and outline proper actions. Part of the document may even include a
             section that defines specific terms used in the policy, such as explaining what a
             “client” and “server” are.There may also be a need to write for specific levels of
             education. For example, a policy used by elementary or high school students would
             be written differently than one for university students. For a policy to be followed,
             it must be understood by the intended reader.
                 Policies and procedures are not static documents that live forever. Some policies
             outlive their time and need to be revised or revoked. For example, before the
             Internet became popular, many companies and individuals ran Bulletin Board
             Systems (BBSs) in which people dialed directly into a computer to download files,
             send messages, and perform other tasks. If a company had a BBS policy but has
             long since gotten rid of it and developed a Web site, the old policy should be can-
             celled and replaced by a new Internet policy. In such cases, the BBS policy should
             be categorized as cancelled and the new Internet policy should indicate it is
             replacing this old policy. By regularly reviewing policies to determine which ones



          www.syngress.com
   685   686   687   688   689   690   691   692   693   694   695