Policies

Security policies and lower-level instructions consolidate the principles applied in operations to protect company assets. Regulatory framework documents must cover all security instructions and be easily accessible to every employee. A policy must remain neutral in relation to the products or technical solutions used to implement it. Security policies must clearly express the requirements based on a description of the company's risk-related security posture. Policies are documents at the highest level of the hierarchy. When IT infrastructures are shared by business units with differing risk appetites, a single policy adapted to units with the lowest risk appetite will penalize the others. In cases where there is no need to differentiate policies or guidelines between business units, classification by hierarchy is sufficient. The security charter and general policy remain unique for the entire company. Some differences in security policies, risk appetite, organization, or context may exist within this same policy for different business units, provided they are clearly presented.