Policies and procedures are written documents that provide guidelines and rules for an organization. An organization will typically have several policies and procedures. A policy is a high-level document that provides overall direction without details. A procedure provides the detailed steps needed to implement a policy.

Policies have widespread application. They identify the direction management wants to take on a specific topic, meaning they document high-level management decisions. Personnel within the organization can then take steps to implement the policy. Policies also provide authority. This authority can be used to purchase resources in support of a policy. Without the policy in place, a purchase may be more difficult to justify.

For example, a backup policy would identify what data needs to be backed up, based on its value. The data could include user data, databases, application data on servers, and more. The backup policy would also identify storage and retention requirements. It would specify that copies of backups be stored in a separate location, which provides protection against a disaster, such as a fire.

A backup policy would include a retention policy, which identifies how long backups are to be retained. For example, the retention policy might specify that some data be retained for three years and other data be retained for only 30 days. Again, the choices are dependent on management decisions, which are documented in the written policy.

With a backup policy in place, the department responsible for backing up the data can purchase resources to implement the policy. These resources include tape drives, tapes, and software. Backups can get expensive; without a backup policy in place, sometimes managers balk at the cost.

Procedures are narrower in scope and more task oriented than policies. They identify specific steps needed to implement a policy. Any policy could have multiple procedures.

For example, a backup policy would state that backups need to be performed but not how to perform them. Procedures, on the other hand, state how to perform the backups. Separate procedures could be created for backing up user data, databases, and other application data and transferring tapes to an off-site location.

Examples of policies might be:

• Acceptable use policy (AUP)—Defines acceptable use of systems by delineating what a user can and cannot do on a system. Sometimes, an AUP is referred to as rules of behavior.
• Vulnerability scanning policy—Provides authority to perform regular scans. It identifies specific goals of the scans and how often the scans are performed.
• Removable media policy—Many organizations recognize the risks associated with removable media, such as USB flash drives. By means of a policy, they restrict the use of these drives.

Examples of procedures might be:

• AUP procedure—Identifies how users acknowledge the AUP. For example, users may be required to read and acknowledge their understanding of the AUP by signing a document.
• Vulnerability scanning procedures—Procedures would be identified for different types of scans and would specify how the scans are to be documented and reported.
• Removable media enforcement—Procedures can enforce the restriction of removable media. For example, the basic input/output system (BIOS) could be manipulated to prevent the use of removable media, or third-party software could be purchased to block their use. Microsoft domains allow administrators to restrict the use of removable media with Group Policy.

Organizations create separate security plans to address different scenarios. Many of the security plans are common to most organizations. This section covers the following security plans found in many organizations:

• Business continuity plan
• Disaster recovery plan
• Backup plan
• Incident response plan

A risk can be avoided, shared or transferred, mitigated, or accepted. In cases where the likelihood of damage is very low and the impact is very high, organizations often choose to share or transfer the risk. The primary way the risk is shared or transferred is by the organization’s purchasing of insurance.

Most insurance policies specify shared responsibilities between the insurance company and the customer. For example, fire insurance typically covers most but not all damage from fire. It also requires customers to take reasonable precautions to prevent fires. In some cases, the entire risk can be transferred with an insurance policy.

Many types of insurance can be purchased. The goal is to protect a company from a loss. If the risk occurs, the insurance helps pay for the loss, which keeps the risk from bankrupting the company.

Some types of insurance, such as fire and flood insurance, are obvious. Other types of insurance deserve an explanation.

Business interruption insurance can be purchased as an add-on to some policies. For example, a company may add business interruption insurance onto a fire insurance policy. If a fire occurs and the company can’t operate normally, the insurance pays for losses until the company opens up again. This insurance usually covers operational expenses, such as rental of equipment, and would also pay for profits that the company would have normally earned.

Errors and omissions insurance, also known as professional liability insurance, is valuable if a company supplies services to other companies. For example, imagine a company performs maintenance on a customer’s servers. In the process of performing the maintenance, the technician accidentally plugs in a power supply the wrong way and ruins the server. The customer may take the company to court. This insurance will provide protection.

Similarly, a company may provide consultants to customers. A consultant may help a customer create a backup plan but forget to include off-site storage. Because the consultant is the expert, this is a glaring omission. If the customer suffers a fire and loses all the backups for the organization, the company may sue. Again, the errors and omissions insurance provides protection.

Bonding is a type of insurance that covers against losses by theft, fraud, or dishonesty. A person covered by bonding insurance is referred to as being bonded. Organizations purchase bonding insurance when required by law and to provide a level of security to their customers.

For example, a company provides IT support to customers at their homes. Bonding insurance could be purchased to cover the technicians. If a technician in the company steals from a customer while performing the service, the bonding company would pay for the loss. Bonding insurance is often very narrow. For example, the insurance may not pay unless the employee has been tried and convicted of the theft. Instead of pursuing a conviction against the employee, the customer may just sue the company.

Many organizations perform background and financial checks on prospective employees, which are completed before the employee is hired.

Background checks commonly include police and FBI checks, which will identify any criminal behavior on the part of a prospective employee. Past mistakes won’t automatically stop someone from being hired. However, there are times when past convictions are relevant.

A truck driver is unlikely to be hired if he has a reckless driving conviction on his record. Similarly, an administrator is unlikely to be hired if she’s recently been convicted of theft. A shoplifting conviction is enough to prevent a company from hiring an employee in a position of trust.

Most companies also complete financial checks for prospective employees. A person with a poor credit rating may be viewed suspiciously. Employers wonder whether the poor credit rating is a reflection of responsibility and accountability. If a person ignores his or her debts, does that imply irresponsibility on the job?

Today, Internet resources are commonly included in background investigations, which include simple Google or Facebook searches. A person who has fanatically ranted on a topic may be viewed as problematic. More than anything, companies want employees who can work well with others. Someone who has a Facebook page filled with attacks on others may be bypassed for someone who has never had a Facebook page.

A data loss prevention program helps a company prevent data loss. Data loss can be viewed in one of two ways:

• Loss of confidentiality—A company loses confidentiality when unauthorized entities view its data. For example, if an unauthorized user views data, confidentiality is lost. Inadequate access controls may allow an unauthorized user to view data, an attacker could hack into an online site and access a back-end database, or a user could lose a laptop that has proprietary information stored on it.
• Loss due to corruption—Files can become corrupt through a variety of ways. The disk drive could crash, an application could hiccup when writing a file, or users could accidentally or purposely delete or modify data. How the data is lost isn’t as important as preparing for the loss with backups.

An organization can protect against loss of confidentiality using two methods. One method is using access controls. Authentication methods identify and verify users. Permissions then grant authorization to access resources. The principle of least privilege ensures that users have access to only the resources they need and no more.

The other method of protection against loss of confidentiality is encryption. Data can be encrypted while it’s at rest or being transferred. At-rest data is any data that is stored on media, such as a hard drive or USB flash drive. Data can also be encrypted when it’s transferred over a network.

A data loss prevention program identifies the data that is valuable to an organization. Data can be classified as public, private, or proprietary. The data loss prevention program would then specify the importance of data in each of these categories and would also specify whether the organization wants to protect against loss of confidentiality, loss due to corruption, or both.

An organization can have the best documented security controls on the planet. However, if the employees don’t know what they are or how to implement them, the controls simply aren’t effective. Education, training, and awareness controls ensure that employees know why having security controls in place is important and how to implement security controls, and are aware of the organization’s security standards.

Awareness programs are generic and apply to all personnel. They use different techniques to inform and remind people about security, and they try to have users personalize security. In other words, instead of security being someone else’s responsibility, users recognize that security is everyone’s responsibility, including theirs. Some examples of how awareness can be raised include:

• Logon or welcome banners
• Emails
• Posters

Training is provided for different audiences. Some training is generic and for all personnel. For example, all users should be educated on social engineering tactics. Other training is specialized and targeted at specific groups. For example, training on how to maintain a specific firewall is provided to the administrators who will maintain it. Specific security professionals are trained on how to run and interpret vulnerability scans.

Education generally focuses on the risk of not protecting the organization. It applies to organizational executives and attempts to do a cost-benefit analysis of security controls, standards, and practices.

Rules of behavior let users know what they can and cannot do with systems. Users read this document before being granted access to a system and are often required to sign a document indicating that they have read and understand the rules of behavior.

The Office of Management and Budget (OMB) mandates the use of rules of behavior for agencies under OMB jurisdiction. These rules are documented in OMB Circular A-130, Appendix III, which also references the rules of behavior control documented in SP 800-53.

Some common elements in a rules of behavior document are:

• Privacy—Many organizations stress that users have no expectation of privacy. If they are using employer resources, they are subject to monitoring, and data can be viewed at any time. This data includes a user’s data files, email files, and a history of a user’s Internet activity. Organizations frequently scan all outgoing transmissions, such as emails, which helps them ensure that personally identifiable information (PII) is not being released.
• List of restricted activities—Most systems restrict certain kinds of activities. Organizations will often explicitly restrict access to any sites with sexual or pornographic content. The list of restrictions could also include gaming, gambling, or personal business. Although these restrictions try to avoid offending employees, other restrictions intend to protect resources. For example, some companies restrict any type of audio or video streaming, such as online radio stations, which protects the network from being overloaded with unnecessary traffic.
• Email usage—Users are informed of what email can be used for and what restrictions exist. Most companies allow users to send and receive personal email. However, users should not use email for any type of harassment or transmission of objectionable materials.
• Protection of credentials—Users are told to protect their credentials, such as username and password, and they are given information on how to create a strong password.
• Consequences or penalties for noncompliance—Such consequences could be reprimands or suspension of privileges. Serious offenses could result in the employee’s termination.

This list isn’t all inclusive. An organization will include the information necessary to ensure that users understand what is expected of them. Some organizations limit this information to a single page, and other organizations make this list longer.

An organization that develops software should take the time to test it, and it should have a policy that mandates software testing. The primary reason to test the software is to reduce the number of undiscovered bugs in the software.

A 2017 study from Tricentis reported annual losses from software failures to be in the $1.7 trillion range. The Consortium for IT Software Quality (CISQ) put its 2018 estimate at roughly $1.1 trillion. These numbers reflect the growing need for and importance of software quality checks through testing.

The types of software testing performed are technical controls. For example, data range and reasonableness checks could be performed. However, creating a policy requiring software testing is the place to start.