Defining a security policy may be a legal requirement in some industries. Additionally it shows an organized commitment to information security, fostering a strong reputation and trust by business partners.
But the main reason to define a policy is that it plays an important role in protecting your information assets, which is strategic to the survival of the organization.
There are four key elements of this policy:
1. The Philosophy is the approach towards information security, the guiding principles of the information security strategy. The security philosophy is a big umbrella under which all other security mechanisms should fall.
2. The Strategy is a measurable plan detailing how the organization intends to achieve the objectives that are laid out, either implicitly or explicitly, within the framework of the philosophy.
3. Rules define the dos and the don'ts of information security, again within the framework of the philosophy.
4. Practices define the “how” of the organization's policy. They are a practical guide regarding what to do and how to do it.
Implementing a security policy requires creating a supportive environment and promoting user education. The creation of a policy is normally driven by the power structures of the organization, motivated by a clear vision of the strategic importance of information security to the success of the enterprise.
If that is not initially the case, changes to the structures and culture may be necessary since an effective security policy must be implemented throughout the organization. Keeping these elements in mind, we can now explore the practical implementation of a security policy.