This policy is a high-level treatment of security concepts that are important to the company. Managers and technical are the intended audiences. The governing policy controls all security-related interactions among business units and supporting departments in the company.
The end-user policy is a set of instructions that spells out the steps workers must take to safeguard company property. An informal set of guidelines distributed to employees in a public setting can be considered an end-user policy.
When performing their security duties for the system, security staff members follow technical policies. These regulations are system- or problem-specific, more thorough than the governing regulation (for example, access control or physical security issues). Technical policies provide a detailed response to the "what," "who," "when," and "where" security policy questions.
Governing policy includes these key components:
• A description of the problem the policy attempts to solve.
• A statement outlining your stance on the rule.
• The environment in which the policy is implemented.
• The responsibilities and roles of those who will be impacted by the policy.
• What degree of policy compliance is required.
• The permitted and prohibited actions, processes, and activities.
• The repercussions of noncompliance.