Information Assurance Policy

Why should a computer scientist be concerned about policy? Unfortunately, ensuring the IT assets of the organization operate properly is not the only function you will be asked to perform but protecting the system from unwanted, unauthorized use will further enable you to perform that function. An IA policy provides a comprehensive, integrated, documented plan for a good security program that defines appropriate behavior for all consumers/managers of system, defines the tools and procedures needed to meet the determined security requirements, communicates a consensus of what should be done, and provides authority for response to inappropriate behavior.

Answering several questions can help you get started with developing a policy: “What are the objectives of what you’re trying to do?” What do you use to establish the goals or objectives for what you’re trying to do? The other steps (risk, threat, target, agents) in developing a usable, IA policy are straightforward assessments you normally perform routinely. The completed document will provide the system’s basic security requirements, the controls in place, planned controls, the responsibility of system users, and expected user behavior. Then all you have to do is ensure everyone is informed of what the policy is and uses it.