Definition Edit

Security Edit

A program policy is

a high-level policy that sets the overall tone of an organization's security approach.[1]
what management uses to create an organization's security program. It is high-level, comprehensive, and unlikely to need frequent updating.[2]

Overview Edit

U.S. government Edit

In a Federal agency, the formulation of program policy must proceed within the framework of existing laws, regulations, and Executive Branch policies, including the Computer Security Act of 1987; OMB Circular No. A-130, Management of Federal Resources, particularly OMB Circular No. A-130, Appendix III, Security of Federal Automated Information Resources; and PDD-63, Protecting America's Critical Infrastructures. It must also be guided by the agency's mission statement and organizational structure.

Program policy development and promulgation is the responsibility of senior management and should take place under the direction of the agency head or senior administration official responsible for the agency. The components of an adequate program policy include the following:

References Edit

  1. SANS Glossary of Security Terms.
  2. NIST Special Publication 800-18, at 33-34.

Source Edit

Community content is available under CC-BY-SA unless otherwise noted.