Securty Policy The Four Es
November 15, 2012The first step in the policy implementation process consists of the Four Es:
- Evaluation of current policy.
- Establishment of policies and procedures.
- Education.
- Enforcement. Companies often neglect the education and enforcement portions of the cycle, she adds.
Educating employees can be handled in a number of different ways, spearheading awareness programs – complete with posters, in-service training, kiosks with information, and more.
- Businesses must remember that security policies and procedures rely squarely on educating the staff about them, Security Designers’ Grogan cautions. Therefore, training and enforcement mechanisms are a requirement.
- Short briefings and informative classes can be held as part as staff meetings, or tools that monitor for potentially offensive emails could be deployed, for example.
- In support of a well-thought out policy roll-out, you need to offer policy training and somewhere to go after [training] as questions come up.
- Not having a security policy increases your business risk, but having one and not communicating its meaning and existence is just sheer bad management.
- You should communicate clearly to staff what the policy is and the consequences of failing to meet it.
- Once it has been seen to be enforced a few times, your business risk declines dramatically.
- Organizations must remember that security policy is a cycle of updates, dissemination, awareness and enforcement.
- The cycle must always account for effects that could be wrought from outside corporate walls, such as regulations or new attacks. More than that, however, is the necessity for policy to be driven by business needs.
- In creating those company wide decrees, executives should be certain to include employees whenever possible in the development of policies.
- Any meaningful policy that has to do with the company culture has to emanate from the top down.
- Managers should build upon the idea that security begins with everyone – Management included.
- A security policy should be broad enough so that it does not require constant updates.
- In policy construction you must be able to measure its impact.
www.bestitdocuments.com