A program policy is
|“||a high-level policy that sets the overall tone of an organization's security approach.||”|
|“||what management uses to create an organization's security program. It is high-level, comprehensive, and unlikely to need frequent updating.||”|
U.S. government Edit
In a Federal agency, the formulation of program policy must proceed within the framework of existing laws, regulations, and Executive Branch policies, including the Computer Security Act of 1987; OMB Circular A-130, Management of Federal Resources, particularly OMB Circular A-130, Appendix III, Security of Federal Automated Information Resources; and PDD-63, Protecting America's Critical Infrastructures. It must also be guided by the agency's mission statement and organizational structure.
Program policy development and promulgation is the responsibility of senior management and should take place under the direction of the agency head or senior administration official responsible for the agency. The components of an adequate program policy include the following:
- Purpose statement. The purpose statement explains why the program is being established and what its information security goals are. Examples of goals include maintaining system and data integrity, protecting confidentiality of personal data, and maintaining availability of service. Agencies’ goals will vary with their missions; the IRS, which maintains huge databases of confidential personal information, would have different security concerns than the FAA, whose computers are essential to controlling air traffic safety.
- Scope. The scope section should state which agency resources — hardware, software (operating systems, applications, and communications packages), data, personnel, facilities, and peripheral equipment (including telecommunications) — are to be covered by the security program.
- Assignment of responsibilities. The program policy document should assign responsibility for information security program management to a single office and spell out supporting responsibilities of executives, line managers, applications owners, users, and the information technology (IT) organization. Clear, specific, and complete assignment of responsibilities supports another information security goal: accountability.
- Compliance. The compliance section should describe how the agency will oversee the creation and conduct of the information security program and who will be responsible for enforcing compliance with system-specific and issue-specific policies. This section may also establish a disciplinary process for dealing with infractions in general terms.
- Overview: U.S. government section: Practices for Securing Critical Information Assets, at 3-4.