Personnel Policies


  • Policies form the foundation of any security program.
  • Policies define:
    • How IT will approach security.
    • How users approach security.
    • How certain situations will be handled.

Policy Document Types

  • Policies - General management rules.
  • Standards - Specific mandatory controls (based on a given policy).
  • Guidelines - Recommendation or good practices.
  • Procedures - Instructions on how to implement a policy or standard.

Policy Elements

  • Overview
  • Purpose
  • Scope
  • Target Audience
  • Definitions
  • Version
  • Implementation Date
  • Compliance / Exceptions
  • Policy Statements

Common Policies

  • Acceptable Use Policy (AUP)
  • Access Policy
  • Authentication Policy
  • Backup & Recovery Policy
  • Data Classification Policy
  • Email/Messaging Policy
  • Social Media Policy
  • Physical Security Policy
  • Physical Security Policy
  • Incident Response Policy
  • Mobile Device Policy
  • Network Security Policy
    • Wireless Policy
    • Remote Access Policy
Policies should be short.

Standard Operating Procedure (SOP)

  • Standard set of instructions for workers to carry out routine operations.
  • Aim to achieve efficiency and consistent output.

Agreement Types

  • Non-Disclosure Agreement (NDA)
    • Protects against sensitive information disclosure.
  • Business Partner Agreements (BPAs)
    • Specifies partner financial and fiduciary responsibilities (profit sharing).
  • Service-Level Agreements (SLAs)
    • Specifies nature and level of service by a provider (uptime).
  • Memorandum of Understanding (MOU) and Memorandum of Agreement (MOA)
  • Interconnection Security Agreement (ISA)

Personnel Management

  • Mandatory Vacations
  • Job Rotation
  • Separation of Duties
  • Clean Desk
  • Role-based awareness training based on job responsibilities.
  • Continuing Education

Separation of Duties

  • When user accounts are created by one employee and user permissions are configured by another employee.
  • An admin who is responsible for creating user account should not have the authorization to configure the permissions associated with the account.
  • Requires more than one individual to accomplish a critical task.
  • Ensures that no individual can compromise a system.
  • Considered valuable in deterring fraud.
  • Can be static or dynamic.
    • Static: refers tot eh assignment of individuals to roles and the allocation of transactions to roles.
      • An individual can be either an initiator of the transaction or the authorizor of a transaction.
    • Dynamic: An individual can initiate as well as authorize transactions.

Change Management

  • Change management stipulates that multiple changes to a computer system should not be made at the same time.
  • This makes tracking any problems that can occur much simpler.
  • Change management includes the following rules:
    • Distinguish between your system types.
    • Document your change process.
    • Develop your changes based on the current configuration.
    • Always test your changes.
    • Do not make more than one change at a time.
    • Document your fallback plan.
    • Assign a person whoi is responsible for change management.
    • Regularly report on the status of change management.
Copy link
On this page
Policy Document Types
Policy Elements
Common Policies
Standard Operating Procedure (SOP)
Agreement Types
Personnel Management
Separation of Duties
Change Management