Policy

Policy and Guidance

GPC Information Security (InfoSec) is responsible for coordinating the development and dissemination of information security policies, standards, guidelines and procedures for the institution. InfoSec is also responsible for coordination of various regulatory compliance efforts as they relate to information technology systems, and institutional information and data. Generally, GPC InfoSec looks to the National Institute of Standards and Technology (NIST) 800 Series Special Publications, and to the Federal Information Security Management Act (FISMA) for guidance in information security program management and applying a standards base approach to securing information systems and processes within a risk based framework.

Policy and Compliance Management

A policy is typically a concise document that outlines specific requirements, business rules or company stance that must be met. The policy is the organization’s stance on an issue, program or system. It is a rule that everyone must follow.

A standard is a requirement that supports a policy and a guideline is a document that suggests a path or guidance on how to achieve or reach compliance with a policy or standard. There are three phases in the USG policy development cycle:

  1. Develop
  2. Refine
  3. Formalize

In the information and network security realm, policies and standards are usually point-specific, covering a single area. Polices can be:

  • Program focused policies
  • Issue specific polices
  • System related policies

Policy Framework

GPC InfoSec follows the ACUPA (Association of College and University Policy Administrators) model for policy development, modified for GPC’s environment (http://www.acupa.org).

Current security policies
Current standards, guidelines and procedures

References