Читать книгу The Official (ISC)2 CISSP CBK Reference - Leslie Fife, Aaron Kraus - Страница 99

A policy is a formal set of statements that establish a system of principles to guide decisions and actions. More specifically, a security policy is a set of statements that identifies the principles and rules that govern an organization's protection of information systems and data. Policies can be company-wide, system-specific, or issue-specific (e.g., an incident response policy). Some common examples of security policies include the following:

 Acceptable use policy

 Access control policy

 Change management policy

 Remote access policy

 Disaster recover policy

FIGURE 1.3 Relationship between policies, procedures, standards, and guidelines

Policies set the foundation for your organization's security program and are typically written to be broad enough to be applicable and relevant for many years. Much like the foundation of a building, security policies should survive long-term and are less likely to change than other documents, although they should be periodically reviewed and updated, as necessary. Standards, procedures, and guidelines are supporting elements that provide specific details to a complement an organization's policies.