Home > Uncategorized > The Importance of a Good Information Security Policy – Part 2

The Importance of a Good Information Security Policy – Part 2

This blog entry leaves off where my previous one (“The Importance of a Good Information Security Policy – Part 1”) ends. Many potential pitfalls in developing an information security policy exist, but even if information security professionals manage to avoid these pitfalls, other obstacles can prevent such a policy from being effective. The reason is that developing a policy is only the first part of what ideally should be an entire cycle of policy-related activities. This cycle should include assessing requirements (particularly through communicating with senior-level management), writing the policy, obtaining feedback and making appropriate changes, getting senior management sign-off, distributing the policy, enforcing the policy, and periodically reviewing the policy and making appropriate changes. Of all the activities in this cycle, enforcing the policy is often the most challenging.

Enforcing any information security-related requirement is usually tricky, but enforcing policy is often particularly challenging. Several potential approaches exist, the first of which is to rely on audit to do the enforcement. Audit, after all, usually wields a big stick, or at least a bigger stick than most other functions. One of the major problems with this approach, however, is that one must wait until audit is ready to conduct an audit that includes reviewing compliance with policy. Relying on other functions such as human relations (HR) to help with compliance is another reasonable approach, but there are some major limitations with this approach, too. For one thing, HR’s scope in looking at the range of issues included in an information security policy is generally much narrower than that of the information security function. The information security manager (ISM) can also take on the role of security compliance officer, and is often compelled to do so. Although the ISM is likely to understand the provisions of information security policy better than anyone else, assuming the role of policy enforcer is risky because of the potential for alienating others within the organization. If the ISM assumes this role, the best approach is to take a kinder, gentler approach in which the ISM tries to persuade those out of compliance to comply rather than to attempt to force them to do so.

Some information security policies are well enforced, whereas others are not (or at least are not enforced very well). What about unenforced policies? Security luminary Marcus Ranum has recently gone on record as saying that an unenforced policy is really no policy at all. To say that a number of information security professionals took umbrage to Marcus’ assertion is an understatement. These professionals point out that factors well beyond the control of ISMs often result in information security policy not being enforced—the fact that there is a policy at least means that some of the necessary work in assessing and communicating high-level requirements has been done. Still, if information security policies are to be worthwhile, they need to be instrumental in achieving risk management goals. If they fall radically short of their purpose because they do not increase compliance with its requirements, their value must be questioned. To say this more diplomatically than Marcus did, any information security policy that is not enforced does not really do much if any good, no matter how well-written it is.

The bottom line is that writing an information security policy is only the beginning point. A good policy is one that reflects senior management’s expectations, is signed off by senior management, states high-level requirements, is clear and easy to read, is well-distributed, and is properly maintained and enforced over time.

Categories: Uncategorized Tags:
  1. No comments yet.
  1. No trackbacks yet.
You must be logged in to post a comment.