An operational security policy is a framework designed and implemented to help organizations protect technology and intellectual property. A well-formed operational security policy will help the organization to deliver on business goals, legal requirements, and customer expectations. The program is typically developed, maintained, and implemented under the supervision of the CISO and executive staff. Full corporate participation, however, is required at all levels to ensure the organization can cost-effectively protect the needs and requirements of the business, employees, and customers. Operational policies need to be well documented and can cover a range of topics including:
- Identifies the applicable regulations
- Established the policy for privacy
- Defines information handling and protection requirements
- Outlines IT security, such as malware defense and mobile access
- Describes how the policy will be implemented, enforced, and monitored for effectiveness