ABSTRACT
The most fundamental control of any information security program is the information security policy. The policy defines what must be done and what must not be done. A policy needs to be reviewed outside of information security, and approved by senior management, regardless of the author. It is the policy that mandates the procedures that must be followed. It is the policy that suggests what guidelines should exist so that the organization clearly and effectively communicates the hows and why’s of how to act so that the organization has the least resistance to achieving its goals. The most important thing about setting standards is that they work to help people get their job done effectively and set a level of expectation that following the standard is in everyone’s best interest. Guidance is a procedure or a standard that is not mandatory.
