Five Things: Creating high quality security policies
Security policies are the foundation of an enterprise information security program. Without a solid foundation in place you simply cannot build a sturdy long-lasting structure; be it a building or a security program. Below are five things that can help you ensure your foundation is strong.
- Use a framework. By starting with a trusted framework you can avoid reinventing the wheel. A framework like ISO2700x will provide you with the areas you need to cover in your policies. Then it’s your job to customize the policies so they fit your environment.
- Make sure your policies are readable to non-technical folks. A policy is a strategic statement. It is not meant to give the details on what technology will be used, or how it will be implemented. If you include too much detail you run the risk of making an unreadable document. A good policy can be read and understood by anyone in the organization. Leave the technical-speak for your standards and procedures.
- Get executive buy-in. Board or senior leadership buy-in is critical to a security program. Some standards (such as GLBA) even require Board sign off on security policies. By getting the organization’s senior leadership on-board we ensure that security will have the funding, personnel and support it needs to succeed. The senior leaders do not need to be an active part of the policy creation, but they should approve of the completed policies so they can understand and support them.
- Communicate your policies. Too many organizations create a set of security policies, only to see those policies sit on a server, unread by anyone outside the groups who created and approved them. Policies should be communicated widely throughout the organization. Security awareness training is the most obvious way to educate employees about the security policies, but topical posters, relevant emails, and on-going reminders at staff meetings can be effective and cost effective as well.
- Maintain your policies. Organizations are dynamic. What worked for you in 2008 probably doesn’t work in 2010. And what works for us here in 2010 will most likely not work in 2012. As such, keeping policies up to date is a crucial task for organizations. A regular schedule should be created for reviewing and updating policies as appropriate. Ideally, policies should be reviewed quarterly. But it should be no less than annually.
High quality policies aren’t the whole story. We also need structure through quality standards, and detailed procedures, but without the foundation your program doesn’t have a chance for success. Give your security policies the time and resources they need.
Connect with Robb on Google+