An issue-specific policy
|“||[is] intended to address specific needs within an organization, such as a password policy.||”|
|“||addresses issues of current relevance and concern to the agency. Issue-specific policy statements are likely to be limited, particular, and rapidly changing. Their promulgation may be triggered by a computer security incident.||”|
The agency's body of issue-specific policy statements is likely by its nature to lack a coherent relationship to information security goals. Individual policy statements, however, may be highly pertinent to these goals, such as those governing Internet access by users, installation of unauthorized software or equipment, and the sending/receipt of attachments to email. Agencies should begin by gathering all issue-specific policies, organizing them by topic, selecting those that appear to affect security goals for further analysis, and identifying areas where additional policies may be needed. When an issue-specific policy statement needs to be formulated or revised, NIST suggests the following structure:
- Issue statement. This statement should include terms, definitions, and conditions; for example, what is "unauthorized software"? Include the rationale or justification for the policy if possible.
- Statement of the agency's position. This statement reflects management's decision on the policy; for example, "The use of unauthorized software is prohibited."
- Applicability. The applicability statement specifies where, how, when, to whom, and to what the policy applies.
- Compliance. Who is responsible for enforcing the policy? Who is authorized to grant exceptions?
- Points of contact for information or guidance.
- Overview: U.S. government section: Practices for Securing Critical Information Assets, at 5.