Home > Uncategorized > The Importance of a Good Information Security Policy – Part 1

The Importance of a Good Information Security Policy – Part 1

Information security policy is a high-level set of security-related requirements that set the ground rules for security within an organization. A good policy should cover critical issues such as user responsibilities, ownership of information processing resources and information, baseline security, and so on. A good information security policy is one of the critical underpinnings of an effective security practice, yet not all security policies in today’s information security practices are up to par.

As the High Tower CISO, I’ve wrestled with the provisions of our security policy. I am not trying to criticize any of my predecessors at High Tower at all, but when I took over the lead security role, I found our information security policy to not be what was needed. Someone had apparently ordered what might be described as a policies kit that covered a wide range of security-related issues. Each area in turn consisted of a myriad of policy statements, many of which appeared to apply to environments that were considerably different from High Tower’s. I suspect that if every employee were required to learn the many policy provisions and then were tested on them, the average score would not have been very high; the amount of content was simply overwhelming. Perhaps worse yet, critical issues such as data ownership were omitted altogether.

I found that I had to throw out everything that had been done before and start working on our policy from scratch. The starting point for me was talking with the person who was our CEO at that time to learn of his expectations concerning information security. I used the notes from our talk as well as my knowledge of what our company is trying to accomplish and how we are trying to achieve our goals to identify nine major areas that I felt would have to be addressed in High Tower’s security policy. Among these was the area of employee responsibilities concerning the use and care of computing resources. Another was ownership of company information and computer resources.

I am a firm believer that an information security policy needs to be a high-level document—one that provides guidance and direction to management, system and data owners, system and network administrators, and users without specifying to a “T” exactly what to do. Standards and procedures, both of which should ultimately be derived from policy, are designed to provide more explicit direction. Besides, just as a country’s constitution should continue to be meaningful over time and as conditions change, a good security policy should stay relevant over time and despite changes such as technology and operational changes within an organization. I thus wrote the policy provisions for the nine major areas of the policy such that each was covered at a sufficiently high level that they would provide meaningful direction without mandating exactly what to do.

No security policy will work universally exactly as it is written. Special business and operational needs that arise from time-to-time will dictate that exceptions to certain policy provisions be granted. I thus ensured that provisions concerning how to apply for and also how to grant exceptions were also incorporated into the High Tower policy.

I also believe that a policy that is not worded clearly and simply will not achieve the desired results. I thus attempted to write the policy provisions using simple wording, My sentences also tended to be short. I “bounced” several draft versions off of a variety of High Tower employees to determine whether the policy provisions were as understandable as I wanted them to be, using the feedback I obtained to make modifications throughout the document.

Finally, I met with the CEO of High Tower to go over the policy document as it was at the time and ensure that he agreed with the provisions therein. After making several modifications that he wanted, I asked him to sign off on the policy. Once he did so, I ensured that the signed version was posted on our company’s Web site. After all, without unambiguous senior management backing, employees and others such as contractors are likely to pay attention to little if any information security-related guidance and requirements.

A security policy is invariably a living document. No matter how well written a policy document is, changes will be necessary over time. I thus review the policy provisions no less than once a year, proposing changes as they are needed. The CEO must sign off on any changes. The most recent change, for example, concerned the addition of special precautions required when sensitive and proprietary information is taken offsite.

Policy is critical in information security. Without a policy that is appropriate for an organization’s business and operations, that is not openly backed by senior management, and that is clearly and succinctly written, information security efforts are almost invariably marginalized by lack of direction and also by what effectively amounts to anarchy. I’ve shared some of the things I’ve done to develop and maintain an effective security policy at High Tower in the hope that they may help others who are struggling with policy-related issues in their own security practices.

Categories: Uncategorized Tags:
  1. No comments yet.
  1. No trackbacks yet.
You must be logged in to post a comment.