Organizational Software Use Policies

Background

At this point it is pertinent to define the following the terms ‘policy’, ‘software’ and ‘software policy’. A policy is a deliberate plan of action to guide decisions and achieve rational outcome(s) (Adomi, 2008). Policy helps to define what is considered valuable, and specifies what steps should be taken to safeguard those assets (Gafinkel & Spafford 1996). Policy is defined as the set of laws, rules, practices, norms, and fashions that regulate how an organization manages, protects, and distributes sensitive information, and that regulates how an organization protects system services. (Longley & Shain, 1990; DoDCSEC 1985). The term policy may apply to individuals, government, private sector organizations and groups. Presidential executive orders, corporate privacy policies, and parliamentary rules of order are all examples of policy. Policy differs from rules or law. While law can compel or prohibit behaviors (e.g. a law requiring the payment of taxes on income) policy merely guides actions toward those that are most likely to achieve a desired outcome Longley & Shain, 1990; DoDCSEC 1985; Dijker, 1996).

Policy may also refer to the process of making important organizational decisions, including the identification of different alternatives such as programs or spending priorities, and choosing among them on the basis of the impact they will have. Policies can be understood as political, management, financial, and administrative mechanisms arranged to reach explicit goals (Gafinkel & Spafford 1996). Access to a system may be granted only if the appropriate clearances are presented. Policy defines the clearance levels that are needed by system subjects to access objects (DoDISPR, 1982). In an access control model, policy specifies the access rules for an access control framework (Kao & Chow, 1995).