Guidelines to Building Security Policies
November 14, 2012Over the past year, a number of companies have discharged employees for improper use of the Internet and email systems. Because of the lack of awareness programs, hackers have successfully used social engineering tactics to gain access to proprietary information.
At the end of the day, we must all recognize the real value of information. It is what makes any business unique, be it the customer list, the secret formula or next year’s plans. What we are talking about in terms of protecting this information is managing people not bits of equipment. That is the real challenge of effective policy and a smart business. Making executives aware of the business need is the key. Often security and policy development is critical to an organization’s ability to maintain customer trust and confidence.
In most organizations Information security policies, procedures and management were generally mediocre and don’t match the business operational model. As a result, the organization’s operational situation was never in sync with the security provisions / if companies fail to take necessary precautions and become victims of attacks, companies’ bottom line can be directly affected, with “the value of the company going down exponentially.
You have to do things in consideration of security and privacy as business processes are supported by applications. The more security and privacy are seen as enabling what you are trying to accomplish, the better and more effective security and privacy actions will be.
Best IT Documents suggests that organizations follow some basic steps and begin by viewing policy in business-enabling terms. Build a security policy upon the foundation of business objectives, first and foremost. Find ways to facilitate business objectives through policy. The standards and procedures set forth in policies must not impede business.
Some guidelines to build policy:
1) Look at regulatory issues the company may be facing
2) Examine how information flows across a business
3) There may be conflicts in the use of company information by different units that will need resolving in policy
4) Establish a business case importance for proper security tool deployment and policy creation
5) Get buy-in from the various divisions
If policy is not aligned to business goals, then you’ve got a problem. Legislative mandates for certain vertical markets are drivers for adopting better security practices and forming detailed policies, but what you will find to be an even more important push is the maintenance of consumer trust.
Without customers’ faith in their favorite business, even a large company can falter.
Establish Internet usage policies for companies, says that having a blanket security policy brings departments together to resolve these and other issues that otherwise may have been left untouched. “It’s getting IT, HR and senior management to talk and to look at corporate culture to define policies that benefit the business,” she explains. “From a litigation, production and security standpoint, companies have to face the fact that they need policies.”
Many companies may claim they have a security policy in place. Of these, the great majority fail to write those policies down, much less disseminate them to the workers needing to know about them. “When they don’t have a policy written down, they make it up as they go along. If it’s not documented, it is subject to interpretation,” he explains.
Another problem that he sees is that the organizations that have actually tried their hands at drafting a coherent security framework for the staff have allowed it to become outdated. Changes in business, technical, regulatory and other areas are ignored in their written policy.
Policies need to be regularly reviewed to be consistent with the world at large, he states. “What any policy should do, is give everyone guidance in the absence of management. Think of it as one document with a bunch of URLs in it.
Policy really provides overall guidance … but, more importantly, it allows the technical folks to get out of making the business decisions.
Management can choose whether to accept or not accept the risk.”
At the start of the planning process policy development must be driven from the top. From that point, improvements and details are pushed bottom up.
In this way, business units can ensure that security procedures are not “adding onto someone’s day-to-day grind.” To start the policy development process, he suggests company executives ask themselves questions about the policy’s lifecycle:
How should known risks the company has and any regulatory mandates drive the creation of policies? For this, following basic best practices set forth in such resources as ISO2700x are good starting points.
- How should policies be published and disseminated to employees?
- Awareness programs you oversee must ensure that apathy is banished?
- How should the policy be enforced and in what ways can employees be tested to make sure they understand not only the policies, but also their value?
- How should naysayers be dealt with?
- If for instance, test results reveal a worker is not doing well in understanding, the policy can note that business units and their managers will be held accountable for the risk?
- How are policies updated and, with this, how are employees kept abreast of these updates?
www.bestitdocuments.com