[MUSIC] In today's lesson, I'll be discussing organizational policies. Organizational policies are essential to help organizations keep employees in line, help develop rules for users of services, and generally, help set the tone for the organization. So I'll be discussing what organizational policies are and look at some of the different types of organizational policies, differentiate them, as well as in your reading, tell you where you can get examples of organizational policies so you can basically fill in the blanks for your organization. Organizational policies give direction for all kinds of things. So they create rules for employees to follow. They think about a privacy policy, for example, for other people. Does it make you feel good to have an organization have a privacy policy when your data is on the line? Of course, organizational policies are defined rules that are meant to be followed. There's also consequences if they're not followed. Policies are a little bit different than procedures and standards. Policies should never talk about technology. And they should never talk about how you accomplish something. Organizational policies are documents that you can go back to and say, is this or is XYZ being followed? They provide a foundation for the technical policies that we'll talk about in the next lesson. All policies, all organizational policies should contain a few key things. The effective date that the policy needs to take effect, the author of that policy, the responsible party for that policy, any related policies, and the last revision date. These are all important to tell a story of how this policy was created and who's responsible for that, if they have any questions. Organizational policies should never contain technology or companies. The reason why is, let's say that there's a vulnerability in a piece of software that you're using. Do you want to keep on using that technology? For example, hashing algorithms, hashing algorithms over the course of several years change. So certificates, for example, if we say, certificates should always be in SHA-1 format. Well, SHA-1 is deprecated now on many different browsers in many different organizations for the past year. So why would you have a policy that you're going to have to change and you're violating by having those hashing algorithms that are now out of date in your policy? Companies also get acquired. So if you are looking at EMC, for example, and you say we will only use EMC hardware. Well, EMC was bought out last year so do we call EMC, Dell? Or another company, let's say. We need to make sure that we don't specify companies in technology because they change. So if we state something in policy we should be following it, else we're violating it. This really is looked at by audits all over the place. If we have an audit specific department they may look at our policies in general, say hey, are you following your own policies? Or why aren't you following your policies. So if I buy equipment from Dell. Am I following that contract line or that policy line that says, you will only buy EMC hardware or you're violating it? They should not include how to implement the policy itself. These are procedures. Procedures can change. Policies are pretty much set in stone. Standards are also another part of policy and procedures that are meant to change. Policies should also be reviewed regularly. I would say either once a year or once every three years, they should be reviewed to make sure that they are accurate. They should be also disseminated to a large group, and vetted by stakeholders, so we need to tell users, here's a policy that you need to adhere to if you drive a car. You were following rules or laws of the road. Think about those as policies. If you violates your policies, what is going to happen? If you violate the law, you're going to lose your driver's license, by doing certain things that are a gross violation of that law. Same thing with policies. If we violate specific parts of a policy, we may lose our jobs. So examples of typical policies, acceptable use policy, clean desk policy, data breach policy. Email, ethics, security and privacy, and I"ll go over two of the basic ones that you'll probably see all the time. What I won't tell you is the privacy policy, everybody's privacy policy is different. And they need to be handled differently and that's usually a contract between information technology and your legal department. Okay, examples of specific policies could also include remote access policies or wireless communications Technology equipment disposal policy for example, or data center security policy. Let's talk about an acceptable used policy that probably everybody has seen. These detail how technology should be used And it also looks at what is allowed and prohibited for technology. We also cover privacy, small part of privacy in that policy. And we also will look at violations of that policy. What happens if we violate Specific part of that policy. Do you lose your credentials, for example? If I violate a password policy that is in my acceptable use policy, am I going to lose my account access? Another one is a security policy. Your security policy is probably usually going to be a large document that details the responsibilities for NG users of systems. What are users responsibilities for protecting information, could also include classification of documents as well. And it also should define reporting structure in case there is a breach. So, in conclusion, organisations need policy not only to tell people what they should do, but tell people what they shouldn't do. How their information is also being protected. The public wants to have information on privacy as well so whenever you're developing policies for an organization Be thinking about how others see you as well as you see your employees.[BLANK AUDIO]
