The Importance of a Good Information Security Policy – Part 4
I don’t want to drone on and on concerning information security policy, but this issue is so important that it warrant considerable analysis and discussion. In this last blog entry on this topic, I’ll assume that an organization has an appropriate, well-written, and well-distributed information security policy. This organization may deserve plenty credit for this accomplishment, but if the organization does not do more with the policy, the policy will not yield the range of benefits that it can and should produce. In short, an information security policy should be the anchor of a number of important processes that go well beyond simply having a policy in place. Here are a few examples:
1. Dealings with potential business partners, contractors, and others can and should be dependent upon information security policy. As I mentioned earlier, an information security policy reveals an organization’s security posture. If an organization that has a reasonably good security posture is contemplating doing business with a potential partner, the way the potential partner practices information security could very much affect security-related risk and risk management within that organization. If the potential partner has a similar security posture, the organization has little to worry about. If, on the other hand, the potential partner has a poor security posture, by opening up its network and furnishing business-critical information to the partner, the organization’s security risk will skyrocket. The information security policy of the organization and the potential partner both often provide the best “yardstick” of the state of security in both entities. An increasing number of organizations require that potential business partners, consultancies, and so on pass a security audit based on the organization’s information security policy before they will do business with the outside entities.
2. When they apply, information security policy provisions need to be part of negotiations with both internal and external service providers. This is particularly important in internal service level agreements (SLAs), e.g., as when a function or group within an organization is considering obtaining network or system administration services from an internal provider. Provisions in the information security policy should translate to requirements in SLAs. The same is also true for external providers—in this case, information security policy provisions should become the basis for contractual provisions. If for any reason the provider has neglected to provide security called for in an SLA or contract, the function or group that pays for the provider’s services can threaten to or actually withhold payment or take other permissible measures.
3. A growing number of information security practices take out insurance in case of large security-related losses due to security incidents. The insured typically must first prove to the insurer that it is a good risk, however. External auditors are often thus called in to audit security in the organization that the security practice serves. Frequently, the goodness and enforceability of the information security policy are heavily scrutinized in the audit.
In conclusion, there are many benefits of a good information security policy, some that apply directly to an information security practice, and some that have potentially far-reaching effects within an entire organization. When push comes to shove, nothing is more important in information security than policy.