Navigant's Cyber Risk and Information Security PracticeLearn More

Blog

Information Security Policies: What You Need to Know12 May 2015

By
Policy Development, Risk Management

Just imagine managing the day-to-day operations of your organization without the existence of policies. It would be similar to attempting to fly a kite without a string.

Policies serve as a foundation of your organization. They establish the framework that enables your entire team to develop a common understanding of the expectations, goals, and objectives of management. In the absence of policy, employees are forced to make decisions based solely on personal opinion and past experiences, which may not align with those of management. Documented policies also enable your organization to enforce policy, if and when the need arises.

Information security policies are especially critical to your organization. Yet given the fast pace at which technology is evolving, these policies require strategy and effort to set up, enforce, and maintain. How can you establish an effective set of information security policies? These tips can help you get started.

Involve all lines of business
While information security officers are typically charged with the responsibility of creating security policies, the effort needs to extend across several lines of business. A collaborative approach ensures that all business-related issues are addressed. By partnering with other areas within an organization, security officers often achieve a greater level of corporate support. In addition, collaboration generates buy-in by partners, who often end up taking ownership of the part of the final product that relates to their line of business. If security policies are solely developed within IT, important business considerations may be at risk. As we discussed in a recent blog post, IT specialists are not cyber security specialists. They’re also not business specialists. So make sure you get input not only from a cyber security expert but also from your internal human resources, legal, compliance, and finance teams.  

Define how to create and maintain security policies
A clearly defined policy creation and maintenance practice is also recommended. This entails clearly defining the processes for initiating, creating, reviewing, and approving policies. Use directive language as you write the security policies to ensure they meet compliance.

Although the standard is to review and require employee acknowledgement annually, policies should be written to survive two or three years, when possible. If policies are rewritten as high-level statements that define the security objectives of your organization, less frequent need for revision is required.

Develop a standalone document for underlying methods and technologies required to implement the controls in support of the policies. Examples include procedures, standards, guidelines, and other supporting documents referenced in the policy. Security policies should be written using directive language to ensure a basis for compliance.      

Review security policies regularly
It is important to establish a regular review schedule of policies to ensure that your security policies remain in alignment with business objectives; to identify the need for new or revised policies based on incident reporting; and to confirm that policies continue to provide the elements necessary to determine or interpret conflicts that may arise. Security policies with clearly defined policy exceptions and sanctions for noncompliance are most effective. 

Establishing security policies is a labor intensive but incredibly important process. To help, COMPASS has developed a set of 36 policies comprised of more than a thousand elements that reflect best practices for acceptable use policy (AUP), mobile computing security policy, and backup, recovery, and business continuity policy, to name a few. These policies have been reviewed by attorneys specializing in cyber security practices.

If you need information on a policy gap analysis or assistance developing security policies for your organization, reach out to us today.

Work With Us Learn How