Skip to content
  • There are no suggestions because the search field is empty.

Policies

Also called: Rulebook, Guidelines, Policy

What it is

A Policy is the organization’s official rules and principles for how the organization operates. Policies: 

  • Establish standards and acceptable behavior

  • Reduce risk and uncertainty

  • Support legal and regulatory compliance

  • Provide guidance for decision-making


A policy is not a how-to guide. It’s more like the rules of the road. Cybersecurity policies are a critical subset of organizational policies, addressing how information systems, data, and digital assets are protected.

Why policies exists

Because in a real organization, people need clarity and consistency. Policies prevent “everyone doing it their own way.”

Cybersecurity policies are formal rules and guidelines designed to protect the confidentiality, integrity, and availability (CIA) of information and systems. They define how users, systems, and third parties should interact with organizational technology and data.

These policies apply to:

  • Employees and contractors

  • Information systems and networks

  • Cloud services and third-party platforms

  • Company-owned and personal devices used for work

What it usually looks like

  • Short sections like “Purpose,” “Scope,” “Requirements,” “Roles & Responsibilities”

  • Statements like “must,” “required,” “shall”

  • Often approved by leadership

  • Versioned (because auditors and reality both demand receipts)

Core Examples of Cybersecurity Policies

  • Information Security Policy - the foundational policy that outlines the organization's overall approach to information security. It defines security objectives, roles, responsibilities and governance structures.

  • Acceptable Use Policy - Defines how users may or may not use company systems, networks and data to include such things as internet and email usage, prohibited activities and personal use limitations.
  • Access Control Policy - Specifies how access to systems and data is granted, managed and revoked. Common principles include least privilege, role based access and multifactor authentication. 

Policy use and enforcement

Read it to understand the rule and link your procedures/processes to it (even if writers forget, your system can connect them later).

Failure to comply with cybersecurity policies may result in:

  • Disciplinary action

  • Loss of system access

  • Legal or contractual consequences

Policies are enforced through technical controls, audits, monitoring, and periodic reviews.

Common confusion

Policy vs Procedure:

  • Policy = what/why

  • Procedure = how

The official CMMC definition of Policy is:

A policy is a high-level statement from an organization’s senior management that documents the requirements for a given activity. It is intended to establish organizational expectations for planning and performing the activity and communicate those expectations to the organization. Senior management should sign policies to show its support of the activity.

Policy Listing

The current CMMC Assessment Guide identifies the following policies as it describes the sorts of documents an assessor may look to review:

  1. Access Control Policies
  2. Asset Management Policies
  3. Audit and Accountability Policy
  4. Configuration Management Policy
  5. Data Protection Policy
  6. Identification and Authentication Policy
  7. Information Flow Control Policies
  8. Information Security Policies
  9. Information Technology Policies
  10. Insider Threat Policy
  11. Password Policy
  12. Privacy and Security Policies
  13. Security Assessment and Authorization Policy
  14. Security Awareness and Training Policies
  15. Security Planning Policy
  16. Software Review Policy - In House Development
  17. Systems Media Policy
  18. User-installed Software Policy

Organizations need not have exactly this list of policies, but should have a set of policies that address these items.  Future versions of FutureFeed will allow tagging of uploaded policies with the above list.

What makes good policy?

project-2021-03-04_11-03_AM__2_.png

General Policy Guidance

Size (Length) 

Policies can vary significantly in length, and there are advantages and disadvantages to both short and long policies. Generally, conciseness is advised. The length of a policy can determine how easy it is to find the keywords searched for within the policy, and how easy it is to navigate and read. As a general rule, the shorter the policy, the easier it is for users to retrieve the information they are seeking.

Policy Text Organization

If your policy is long and contains multiple sub-sections within the Policy Statement section, strive to organize the material using sub-headings and bulleted lists.

Avoid the use of numbering schemes, if possible. If you are anticipating including an ordered list, consider whether the material is actually a process rather than policy. Supplemental information such as procedures is not included in the Policy Library, but links to such material are encouraged within the "Resources" section (see above).

 

FutureFeed Footer – Newest