Skip to main content

Security policy – Why do I need it?

Defining a security policy may be a legal requirement in some industries. Additionally it shows an organized commitment to information security, fostering a strong reputation and trust by business partners.

But the main reason to define a policy is that it plays an important role in protecting your information assets, which is strategic to the survival of the organization.

There are four key elements of this policy:

1. The Philosophy is the approach towards information security, the guiding principles of the information security strategy. The security philosophy is a big umbrella under which all other security mechanisms should fall.

2. The Strategy is a measurable plan detailing how the organization intends to achieve the objectives that are laid out, either implicitly or explicitly, within the framework of the philosophy.

3. Rules define the dos and the don'ts of information security, again within the framework of the philosophy.

4. Practices define the “how” of the organization's policy. They are a practical guide regarding what to do and how to do it.

Implementing a security policy requires creating a supportive environment and promoting user education. The creation of a policy is normally driven by the power structures of the organization, motivated by a clear vision of the strategic importance of information security to the success of the enterprise.

If that is not initially the case, changes to the structures and culture may be necessary since an effective security policy must be implemented throughout the organization. Keeping these elements in mind, we can now explore the practical implementation of a security policy.

Désiré has been musing and writing about technology during a career spanning four decades. He dabbled in website building and web hosting when DHTML and frames were en vogue and started writing about the impact of technology on society just before the start of the Y2K hysteria at the turn of the last millennium. Following an eight-year stint at where he discovered the joys of global tech-fests, Désiré now heads up TechRadar Pro. Previously he was a freelance technology journalist at Incisive Media, Breakthrough Publishing and Vnunet, and Business Magazine. He also launched and hosted the first Tech Radio Show on Radio Plus.