Policy is used to set boundaries for employees that use the company’s resources.  According to the University of California in Santa Cruz, policy is used to define how employees, staff and students are to approach security (Information Technology Services, 2012). The Control Objectives for Information and Related Technology (COBIT) states that policy is to follow a set of security guidelines that are to control companies’ set objectives.  COBIT is a framework created by Information Systems Audit and Control Association (ISACA) for information technology (IT) management and IT governance (COBIT, 2013).

            COBIT has a series of control objectives that are designed for a company to easily develop a policy that suits their needs.  COBIT labels their control objectives include: Management of IT Security, IT Security Plan, Identity Management, User Account Management, Security Testing and Surveillance and Monitoring, Security Incident Definition, Protection of Security Technology, Cryptographic Key Management, Malicious Software Prevention and Detection and Correction, Network Security, and Exchange of Sensitive Data (IT Governance Institute, 2007). 

            Now, here is an example of the company, ‘Solo Cup’ the makers of plastic cups, using COBIT’s User Account Management DS5.4 section.  The Solo Cup Company organized their policy by addressing user account privileges.  Solo Cup designed the policy to be followed and protected by their employees that had IT access.  Solo Cup’s IT was to follow the general computer control areas that managed configurations, data, operations problems, incidents, and third parties to build policy.  The other goals of Solo Cup’s IT policy were to ensure system security, install and accredit solutions and changes and control end-user computing.  Solo Cup could not have developed an IT policy without the guidelines set by COBIT (Ryan, 2011).

            COBIT explains how to control objectives with the User Account Management section to ensure system security and set forth policy.  “Address requesting, establishing, issuing, suspending, modifying and closing user accounts and related user privileges with a set of user account management procedures.  Include an approval procedure outlining the data or system owner granting the access privileges” (IT Governance Institute, 2007).  The set policy should apply to all people within the company for normal and emergency cases.  “Rights and obligations relative to access to enterprise systems and information should be contractually arranged for all types of users” (IT Governance Institute, 2007).  The section quoted here from COBIT was exactly what Solo Cup derived for their company policy.

            Next, according to the dictionary, policy is the rules and regulations set by the organization to determine the type of internal and external information the employees can access (Policy, 2013).  IT policy can be used as a control document for working guidelines. The method for constructing IT policy is by using control documentation as an interface that houses manuals, flowcharts, decision tables, and completed questionnaires (O’Donnell).  Each person that is a stakeholder within the company needs to read the house manuals and complete questionnaires for a level of understanding what rules need to be followed. 

             Then, an Interface Control Document: an ICD describes the interworking of two elements in a system that shares a common interface and can be used to give people access within a system to do their job, state policies and what the interface does (Chamber.com).  A risk assessment can solve problems and protect the company just as well as an ICD.  Some healthcare companies use the National Institute of Standards and Technology (NIST) to help with creating a risk assessment.  The guidelines set by NIST include describing the purpose of the risk assessment, including questions to be answered by the assessment.  Identify assumptions and constraints.  Describe risk tolerance inputs to the risk assessment.  Identify and describe the risk model and analytic approach.  Provide a rationale for any risk-related decisions during the risk assessment process.  Describe the uncertainties and how those uncertainties influence decisions. Describe the systems and dependencies on any other systems, shared services, or common infrastructures.  Summarize results in a form table that enables decision makers to quickly understand the risk.  Identify the time frame for which the risk assessment is valid.  List the risk to adversarial threats and non-adversarial threats (U.S., Department of Commerce, 2012).  The risk assessment should be created in house and not outsourced to a third party for creation; this eliminates the risk of adversaries acquiring data to commit fraudulent activities.

             Finally, Matt Shipman posted on Technews for the ACM website about how a new tool makes programs more efficient without sacrificing safety functions.  North Carolina State researchers developed software that helps programs run more efficiently on multicore chips without sacrificing safety features.  The purpose of this tool was to increase the program speed.  “The tool is to function automatically and does not involve manual reprogramming”, says Tuck.  The safety features on a program are to protect users, but they make the program slow down up to 1,000 percent or more.  The researchers at NCU have developed a tool that takes advantage of multi-core computer chips by running the safety features on a separate core in the same chip.  This tool makes programs run close to normal speed and still includes safety features to protect the user (Shipman).  I believe that policy still needs to be assessed and followed here, even if safety risk precautions were lowered by a percentage.

             In conclusion, a company should look towards COBIT for policy guidelines.  The policy should include guidelines from a set definition that creates effective and valuable services for an organization.  The policy may include a complete set of security policies and standards in line with the established information security policy framework; procedures to implement and enforce the policies and standards with roles and responsibilities of each worker; staffing requirements; security awareness and training; enforcement practices; investments in required security resources; scope and objectives of the security management function; compliance and risk drivers; security compliance policy; management risk acceptance (security non-compliance acknowledgement); external communications security policy; firewall policy; e-mail security policy; an agreement to comply with IS policies; laptop/desktop computer security policy; internet usage policy; ensure system security; manage the configuration, data, third-parties, operations, and problems or incidents; install and accredit solutions and changes; and end-user computing policy  (IT Governance Institute, 2007).