2.1.3. Security Policy Hierarchy

💡 First Principle: A security policy without enforcement is a wish list. A policy hierarchy creates the enforcement chain: board-level policy establishes intent, standards define measurable requirements, procedures make compliance actionable, and guidelines fill in the gaps without creating liability. Each level derives authority from the one above it.

Policy types — the exam tests all three:

Organizational (Enterprise) Security Policy — The master policy. Sets overall security direction, assigns responsibility, establishes compliance requirements. Usually 1-2 pages; not technical. Signed by the CEO or Board.

Issue-Specific Policy — Addresses a particular topic in depth: acceptable use, remote work, social media, BYOD, email, password management. Each issue policy is mandatory for its scope.

System-Specific Policy — Governs a specific technology or system: "All production web servers must have X, Y, Z configured." Often implemented as a configuration standard or baseline.

The policy development lifecycle:

1. Identify the risk or requirement driving the policy need
2. Draft with input from legal, HR, operations, and security
3. Review cycle (legal review is mandatory — unenforceable policies create liability)
4. Executive approval and signature
5. Communicate to affected parties (you cannot enforce a policy people weren't notified of)
6. Training on policy requirements where needed
7. Enforcement mechanisms defined
8. Scheduled review cycle (typically annual or triggered by significant change)

Policy exceptions — mature programs always have a formal exception process. An exception requires: documented business justification, risk assessment of the exception, compensating controls, time limit, and appropriate management approval. Undocumented exceptions are a major audit finding.

⚠️ Exam Trap: A policy that has never been communicated to employees cannot be enforced as a disciplinary basis. "We had a policy" is not sufficient — the organization must demonstrate the employee knew about the policy. This is why onboarding security briefings and annual policy acknowledgment signatures exist.

Reflection Question: An employee is terminated for violating the acceptable use policy by installing unauthorized software. The employee's lawyer argues the policy was never communicated. What documentation should HR and security be able to produce to defend the termination?