AUP stipulates the constraints and practices that an employee
using organizational IT assets must agree to in order to access to
the corporate network or the internet. It is standard onboarding
policy for new employees. They are given an AUP to read and sign
before being granted a network ID.
Acceptable
Use Policy
The ACP outlines the access available to employees in regards to
an organization’s data and information systems. Some topics that
are typically included in the policy are access control standards
such as NIST’s Access Control and Implementation Guides. Other
items covered in this policy are standards for user access,
network access controls, operating system software controls and
the complexity of corporate passwords. Additional supplementary
items often outlined include methods for monitoring how corporate
systems are accessed and used; how unattended workstations should
be secured; and how access is removed when an employee leaves the
organization.
Access
Control Policy
The change management policy refers to a formal process for making
changes to IT, software development and security
services/operations. The goal of a change management program is to
increase the awareness and understanding of proposed changes
across an organization, and to ensure that all changes are
conducted methodically to minimize any adverse impact on services
and customers.
Change
Management Policy
The organization’s information security policies are typically
high-level policies that can cover a large number of security
controls. The primary information security policy is issued by the
company to ensure that all employees who use information
technology assets within the breadth of the organization, or its
networks, comply with its stated rules and guidelines. I have seen
organizations ask employees to sign this document to acknowledge
that they have read it (which is generally done with the signing
of the AUP policy). This policy is designed for employees to
recognize that there are rules that they will be held accountable
to with regard to the sensitivity of the corporate information and
IT assets.
Information
Security Policy
The incident response policy is an organized approach to how the
company will manage an incident and remediate the impact to
operations. It’s the one policy CISOs hope to never have to use.
However, the goal of this policy is to describe the process of
handling an incident with respect to limiting the damage to
business operations, customers and reducing recovery time and
costs.
Incident
Response Policy
The remote access policy is a document which outlines and defines
acceptable methods of remotely connecting to an organization's
internal networks. I have also seen this policy include addendums
with rules for the use of BYOD assets. This policy is a
requirement for organizations that have dispersed networks with
the ability to extend into insecure network locations, such as the
local coffee house or unmanaged home networks.
Remote
Access Policy
The company's email policy is used to formally outline how
employees can use the business’ chosen electronic communication
medium. I have seen this policy cover email, blogs, social media
and chat technologies. The primary goal of this policy is to
provide guidelines to employees on what is considered the
acceptable and unacceptable use of any corporate communication
technology.
Email
and Communication Policy
The organization’s disaster recovery plan includes both
cybersecurity and IT teams’ input and will be developed as part of
the larger business continuity plan. The CISO and teams will
manage an incident through the incident response policy. If the
event has a significant.
Disaster
Recovery Policy
The BCP will coordinate efforts across the organization and uses
the disaster recovery plan to restore hardware, applications and
data deemed essential for business continuity. BCP describes how
the organization will operate in an emergency.
Business
Continuity Plan Policy
The company waives all bounding policies for low-cost "as-is"
services and products when the customer chooses the low-cost
option. The low-cost option is implicit. Any chosen policy must be
opted in and assessed for working with that specific customer.
The company waives any liability for diverging from policies
unless specifically contracted and agreed with the customer. In
that case, the customer agreement takes precedence.
Ready to start your next project with us? Give us a call or send us an email and we will get back to you as soon as possible!
