Initial Thoughts
Polices are global in nature. All company employee’s are expect to follow the guidelines. Examples of polices include: the Acceptable Use Policy (AUP), Memorandum of Understanding (MOU), or Bring Your Own Device (BYOD) to work. These a often generic guidelines that all employees must adhere to. On the other hand, procedures are typically at the department or team level. They are a step-by-step guide book. Many departments will have multiple Standard Operating Procedure (SOP) for a wide variety of topics.
When writing either, they follow a general outline. Here is some generic language to get you started.
General Outline
1. Purpose – Define the purpose of the policy.
“The purpose of this procedure is to set forth the process for investigating, evaluating, and recovery from a security Breach to comp[any information assets, data, or other resources.”
2. Requirements – Why is this required? What standards are to be followed? PCI data security standard (PCI DSS)? What other Legal or regulatory rules apply?
“Payment Card Industry Data Security Standards (PCI DSS) were developed specifically to provide a baseline of technical and operational requirements designed to protect account data, to protect against threats, and secure elements in the payment ecosystem. The company adheres to all PCI DSS standards.”
“Standards & Organizational Controls (SOC 2) was developed to audit internal controls. Compliance helps provide information and assurances to customers of how you process users’ data and keep it private. The company will conduct a SOC2 audit bi-annually based on the published schedule.
“The company adheres to all PCI DSS standards. HIPPA standards, CISA hardening requirements, and SOC2 audit requirements. Specifically, this procedure is mandated by PCI Standard 12.10.1, 10.10.3, 12.10.5, 12.10.06. See the PCI standards listed in the Appendix.”
3. Definitions – Define any terms or definitions used in the document.
4. Process & Procedure – Typically a flow chart. Also, what data is to be evaluated (input), what results are expected (output). Any records created? Reports?
5. Role Responsibilities – Who is to do what? Who is to use this procedure?
- Computer end user will notify security in the event of a suspected event.
- Security analyst will gather the PC and any data necessary for an analyst.
- Forensic analysts will analyze the collected data and conduct the investigation.
- Any communication to the executive committee will be conducted by the CISO.
- A member of the executive committee will be responsible for speaking on the company’s behalf to law enforcement, legal, and the public.
7. Communication, Exceptions, & Sanctions – Who is exempt from following the policy? Who should they contact to get an exemption? What is the penalty if it is not followed? Who is this procedure written for? All employee’s ?
“Any training about this procedure will be provided by the security team. Any modifications to this procedure is the responsibility of the oversight committee. If a user needs to request an exemption to this policy, or the policy needs to be updated, please contact the HR department.”
“Any employee, contractor, or user who willfully violates this procedure is subject to disciplinary action up to and including termination. Company reserves the right to pursue legally permissible action it deems necessary to protect its interest and the interests of its customers. Further information, see Employee Handbook”.
8. Document Control – Who is the owner of the document, how often is it reviewed (annually?), Revision history chart, .
“This document is maintained by the Human Resources Department. Content owner is responsibly for identifying circumstances that might warrant out-of-cycle reviews (such as process changes, regulatory changes, etc.). A review should be initiated no more than 12 months after the last review.
“This document is maintained by the Human Resources Department. This document is available online in the SharePoint Library and it published for viewing by all employees. Version 1.6 is the current approved version of this document.”
Create a Bordered Table with the following columns: Revision date, description, approved by, version #
9. Appendix – A written copy of the PCI standards that the document references. A URL or other.