Policy framework development is needed for the establishment and ongoing operation of the organization’s security program. It establishes the top leadership’s intent as to how information security should be managed. This program begins with documentation in the form of policies, standards, baselines, procedures, and guidance for compliance. The library of documents is arranged as a hierarchy with the highest level consisting of a charter. The next level includes policies, followed by an increasing number of standard and baseline documents. These documents are supplemented with guidelines to aid in implementation. Finally, many procedure documents that explicitly describe how to implement a security control or process are included. The library should be developed and managed by dedicated personnel who are experts in the subject matter related to the organization’s industry or mission.
Any effective IT security program includes top-down sponsorship to establish and enforce these policies and standards. This framework of documents identifies how an organization manages security risk within its risk appetite and risk tolerance. Because information security never stands still for long, most of the documents in a policy and standards library must be considered living documents that are updated as technology and the environment changes.