Policy Management is the natural extension to Controls Management. Acknowledging the controls that are to be followed is a first step– Policy Management is how you get there.
Policy Management does three things:
Why do we provide the ability to do these 3 things? Without these, 3 things Policy Management is like a Grizzly Bear without claws or teeth. Adopt the policies. Specify how you will put the into effect. Specify how you will ensure they remain in effect.
An example of Policy Management:
Policy: The organization will ensure that a Policy of Zero Trust for accessing any server on premise or in the cloud is enforced.
Effort: To put this into effect, the XYZ offering by BigCyber Corp is to be implemented with the following schedule and guidelines. The effort is owned by PersonX, with PersonY verifying implementation meets the requirements of the Policy.
Practices: The following practice will ensure that this policy is in effect:
- All new network and server devices will utilize the XYZ Zero trust offering. Prior to being commissioned, Commissioning must follow the 22.33.44 Device instantiation process.
- The XYZ is evaluated daily against the Asset Management system. If any new Network or Server devices are discovered that do not exist in XYZ, a violation of the policy will be flagged.
- The Asset system evaluates all Logon ID’s. If an ID is identified that does not map to the XYZ system, the Logon ID and IP address that the logon occurred through is registered and flagged.