Written policies and procedures

6.3 Summarize behavioral security concepts.

📘CompTIA ITF+ (FC0-U61)

In IT and cybersecurity, written policies and procedures are formal documents that guide how people in an organization should behave when using computers, networks, and digital resources. They are critical for security, compliance, and consistency.

Think of them as official rules and instructions that everyone must follow to keep the organization safe.

1. Purpose of Written Policies

Written policies exist to:

  • Set expectations – Tell employees what behavior is acceptable and what is not.
  • Protect data and resources – Ensure sensitive information stays confidential and systems remain secure.
  • Ensure compliance – Make sure the organization follows laws and regulations (like GDPR or HIPAA).
  • Provide guidance during incidents – Help employees know what to do if something goes wrong, like a malware attack or a phishing email.

2. Types of Policies and Procedures

In IT, policies and procedures are usually split into categories:

A. Acceptable Use Policy (AUP)

  • Defines how employees can use company devices, networks, and software.
  • Examples in IT:
    • Using corporate email only for work purposes.
    • Not installing unauthorized software on work computers.
    • Accessing only approved websites from the company network.

B. Password Policy

  • Defines how passwords should be created and managed.
  • Common rules:
    • Minimum length (e.g., 12 characters).
    • Combination of letters, numbers, and special characters.
    • Regularly changing passwords every 60–90 days.
    • Not reusing old passwords.

C. Data Protection and Privacy Policy

  • Explains how sensitive data (like employee information, client records, or financial data) should be handled.
  • Includes:
    • How data should be stored (encrypted or secure servers).
    • Who can access certain files.
    • Guidelines for sharing data with third parties.

D. Security Incident Response Policy

  • Provides steps to follow if a security incident occurs.
  • Examples in IT:
    • Reporting phishing emails to the IT team.
    • Disconnecting an infected computer from the network.
    • Documenting incidents for analysis.

E. Software and Hardware Policies

  • Rules for installing and maintaining software and devices.
  • Examples:
    • Only IT-approved software can be installed.
    • Devices must be updated with the latest patches.
    • Unauthorized USB drives are not allowed.

3. Why Procedures Are Important

While policies tell employees what to do, procedures explain how to do it.

  • A procedure is like a step-by-step instruction.
  • Examples in IT:
    • How to create a strong password using a password manager.
    • How to report a phishing email.
    • How to back up files to a secure server.

Key Point: Without procedures, policies are just words on paper. Procedures make them actionable.

4. Key Characteristics of Good Policies

  • Clear and simple language – Anyone can understand, not just IT staff.
  • Specific – Gives concrete rules and actions, not vague suggestions.
  • Enforceable – Employees must follow them, and violations have consequences.
  • Up-to-date – Reflects the latest technologies, threats, and laws.
  • Accessible – Everyone can easily find and read them (company intranet, manuals, etc.).

5. How Policies Help Behavioral Security

Behavioral security is about people following safe practices. Written policies help by:

  • Preventing unsafe actions (like sharing passwords or downloading unapproved apps).
  • Guiding employees on what to do when issues occur.
  • Reducing the risk of human error, which is one of the biggest causes of security breaches.

6. Example Workflow in an IT Environment

  1. Company issues a written password policy.
  2. Employee receives instructions (procedure) on how to set passwords.
  3. Employee follows procedure and sets a strong password.
  4. IT enforces the policy using systems that require strong passwords.
  5. Employee is guided to update password regularly.

This creates a secure behavior pattern, reducing the chances of unauthorized access.

Exam Tips

  • Remember the difference:
    • Policy = What to do
    • Procedure = How to do it
  • Know examples like AUP, password policy, data protection policy, incident response policy.
  • Understand why written policies improve security behavior.
  • Be able to explain why clarity, enforceability, and updates are important.
Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by