How to make you information security policy work for you

How secure is your organisation? Security is a big worry for most organisations – addressing data breaches and security lapses need a well planned out strategy.

For organisations, their security policy will help to protect their physical and IT assets. This policy is different from many other policies out there - the policy document is an ever-changing one and needs timely consideration. Organisations have to accept new security measurements in case of arrival of new technology. Employees should have the knowledge to protect the company assets for that, an effective strategy needs to be implemented for proper enforcement.

Challenges Companies Face Commonly

Gartner came out with a report that highlights the different challenges that organisations face when it comes to creating an effective security policy. Companies often flounder in the basic steps.

For one, most organisations design a security policy that keeps their employees in isolation. Without considering employees, an organisation should not design any security policy otherwise; it could turn into resistance between organisation and employees.

Rigid policies cannot work as well as they limit the ability of employees and the company to act in case of an emergency; these policies can be disastrous and lead to problems on many fronts.

Failure to meet legal compliance requirements could lead a company to face potentially legal obstacles and penalties too. Another problem is the fact that companies do not pace with the rapidly evolving technologies – the environment changes every few years and the right technologies today may not be apt tomorrow.

Effective Policy Making – The Golden Rules

So, what an effective security policy should contain?

Look at the five golden rules that can help you to create an effective security policy that actually works.

1. Create a Master Policy for Developing Your Policy

Your security policy is a living document and has to be changed continuously. However, how do you change it? Do you just make changes whenever you feel like it or when there is a specific cause of action?

You need to create a master policy that determines when you can make changes to the security policy document. It is important that the employee should express their views - or else it can result in resistance and counter productivity. Below are some of the parameters to include when creating a master policy.

  • Have periodic reviews of the security policy.
  • Do not hurry in designing the policy, as it will take time. This makes a more effective policy tailored to suit all your organisational needs.
  • Keep in mind the different forms of business risks but address only those areas that deserve the highest attention. In other words, only identify and write rules about the highest business risks.
  • Write down goals for each policy made – this can come in useful during policy revisions.

2. Have Flexibility

A structured approach can help you to achieve better results. If you have multiple units of business, you need better coordination. Different units can have different needs – your policy needs to be flexible enough to accommodate all these needs. For instance, a business unit with IT servers needs a set of security controls that can manage risks better. Other business units without IT servers may not need these sets of security controls. Your policy language needs to be flexible enough to accommodate the various requirements. The person has to understand that mere words like ‘should’ and ‘must’ or ‘may’ and ‘can’ can make a whole world of difference.

3. Have Engagement

A policy developed in isolation cannot stick around for long. You need employee and stakeholders’ engagement. For this, you need to build universal support from the upper management to employee team, which seem a daunting task at times.

Ensure that:

  • Be flexible in approach to suit the needs of all business units.
  • Ensure that employees and stakeholders understand the policy implications.
  • Build coordination and support right from the lower level.

4. Don’t Let Anyone Draft Your Policy

Who is going to take the responsibility of policy drafting? You do not just need someone honest but also someone who is competent. Look for someone who is an expert in policy development. Ensure that the person knows how to write appropriate policies in the right writing style – the rules have to be strong and yet flexible. Drafting policies require a set of expertise. Some of the considerations for the policy framer can be:

  • Understand the mindset of the readers.
  • Understand the organisational culture and the specific needs.
  • Avoid specifics like dates or service names – they can become obsolete in no time.
  • Be specific and clear – ambiguousness has no place in a policy.

The person also needs to write in the simple language and ensure that it is understood by all, even by employees of business units located in different countries. Slight language differences can lead to different interpretations – the language thus has to be sufficiently clear.

5. Is the Policy Practical?

Does the policy pass the real world test? In other words, you do not need a security policy that can be implemented just on paper. Think about all other issues that can come up in a scenario - your policy needs to be enforceable in every situation. Think about the different ways security breaches can occur. What would happen then? Your security policy needs to allow all conditions from detecting security threats, compliance requirements, and non-compliance issues to mitigating the different risks.

Conclusion:

In the end, there is a need to adopt your organisation’s security policies and continually keep them up to date with the external requirements. Your security policy determines organisation's established condition about the security risks that must be met the risk appetite of the business. Security experts should write security policy, according to organisation’s security environment.

Gunjan Tripathi