Policies are the rules of the enterprise. Much like the ten commandments, they say what you can and cannot do in the enterprise. From the Strategic Level, there needs to be a policy in place that the other teams can reference for your cyber intelligence program and it should at least cover the following:
- The intent of your cyber intelligence program
- Description
- Targeted audience
- The reason that the policy exists
Procedures tell you how to do a particular process. This is where we explain (at the Strategic Level) how the cyber intelligence program works. It should include:
- Written procedures and explanations
- Process diagrams
These documents are typically an output or deliverable from a project that is up and operational. As you are building your capability based on the Capability Maturity Model, you can modify the document as appropriate.