Writing Identity Policies

We've already discussed four important attributes of a good identity policy. In addition to those specific attributes, there are important guidelines that will help ensure that your policies are implementable, enforceable, understandable, and guided by the business:

What should a policy look like? Typically, identity policies have a set of sections that follow an identifiable outline . I recommend the following sections:

Section 1: Purpose

This section is typically just a paragraph or two long and answers the question, "Why is this policy needed?"

Section 2: Scope

This section is also generally short and identifies what is covered by the policy.

Section 3: Definitions

This section is simply a list of definitions of terms used in the rest of the document. Clear definitions are important in avoiding ambiguity in later sections and avoiding lengthy explanations of concepts in the main body of the policy. Note that the point of this section is not to give dictionary definitions so much as to give definitions specific to the organization and how the words are used in the policy.

Section 4: References

This section is a list of other policies, standards, and documents that are used in the body of the policy.

Section 5: Policy

This section is the main body of the document and describes in detail the requirements of the policy. This section may have a number of subsections.

Section 6: Enforcement

This section describes what actions will be taken when the policy is violated. Some enforcement actions may be against personnel (e.g., an HR action), and others may be against organizations (e.g., a budget action). In the case of personnel actions, you typically won't include them in the policy directly, but by reference to the appropriate HR policy.

Section 7: Contacts

This section lists who is responsible for the policy and its review, modification, and enforcement. Specify this by title and position, not name, so that the policy is not outdated by irrelevant personnel actions.

Section 8: Revision History

This section documents each revision by date and the primary changes.

The specific policies you develop may have all or only some of these sections depending on the circumstance. I recommend that you develop a policy template for your organization and use it for every policy so the policies have a consistent style and format.