Despite their seemingly mundane nature, policies form the cornerstone of the information security program. In a large organization, they are instrumental for enforcing global consistency, driving change and launching enterprise programs.
Many regulations require a documented security program supported by policies and standards. In today's tough regulatory climate, companies need to be able to prove consistency and articulate their information protection needs. Policies help capture these needs and enforce management's commitment to protecting information assets. Developing, documenting and implementing policy in a large organization can be tricky. If you don't take the big picture into account, such as long-term implications and cost impact, then you might be doing more harm than good by documenting requirements that no one is actually following. In addition, if user training and awareness, continuous monitoring and robust communication plans are not part of your plan, then your implementation efforts may not be successful.
The policy creation process should be as collaborative as possible. Policies written in a vacuum will die in a vacuum. To create an effective policy, you'll need input from across the organization, active participation in the refinement process, stakeholder buy-in and support before implementation can actually take place. Organizations should define policy approval structures that give adequate representation to key stakeholders, including senior leadership from IT, legal, human resources, business and security. The good news is that once everyone is aligned, driving the security program based on the policy can provide air cover for the security team, implementation consistency and clear expectations.
If your organization is regulated, your policy might need a strongly worded approach that articulates mandatory regulatory requirements. Resist the urge to use boilerplate policy as anything more than a starting point though. Without fully understanding security controls and their potential impact on your organization, you might be saving time up front only to cause a lot of confusion down the road.
Policies also need flexible exception processes with some level of oversight. Even the best policies can't anticipate every possible implementation scenario. A documented exception process should be established in order to review implementation issues. Too many exceptions might mean that the policy needs to be modified or that enforcement may need to be strengthened.
Policies are more than just words on paper. They are a foundational element of the security program that literally puts everyone on the same page.
30 seconds on...»When establishing policy...
using frameworks, like ISO/IEC 27001 (and applicable regulatory frameworks, like FFIEC for financial institutions) can help ensure that you've captured the basics as a starting point.
»Clear and direct writing
»Get staff up to speed