We all know how important they are, but the fact is that security policies are often the most neglected part of information security programs. IT compliance starts with comprehensive security policies that are issued by an organization to secure its valuable information. Essential to any organization, there are five keys to implementing a successful security policy within an organization. As a result, they are rarely effective and can increase enterprise risk. Though a time investment, policies can be addressed with little or no cost. To improve the success of information security policy roll-outs, below are five critical factors an organization must consider.
- Keep Them Simple: Policies are defined as an organized grouping of management statements that govern the operation of the company. Users will be expected to understand and comply with the organization’s security policies, therefore they should be user friendly. To make them simple, organize the policies with the end-user in mind and keep the content short, but comprehensive. To address more specific regulatory requirements such as encryption strength, use detailed specifications in the standards section.
- Maintain Separate Policies, Standards and Procedures: Many organizations make the mistake of mixing policies, standards and procedures into a single bloated document. Policies should simply reference supporting security standards such as an “Encryption Standard” or possibly even a “VPN Device Configuration Standard” that contains specific configuration settings. Procedures, which are use to document the process used in complying with policies and standards, should also be separate.
- Organize Policies by User Role: Security policies should address both end-user behavior and IT functions such as network operations. A common mistake that organizations make is addressing the both end-users and IT functions in the same policy document. Successful security policies are organized by user role to ensure that a user is given only the policies that are applicable to them. For example, all end-user policy statements may be organized into one document that is relevant to every user, while network security policy statements are organized into a “Network Protection Policy” document that is specifically relevant to networking teams within the IT function.
- Get Executive Buy-in: Since security policies often change the manner in which organizations are operated, there is often resistance from departments that will be affected. It is extremely important to establish authority to create a new or updated policy from executives early in the policy development process to head off political skirmishes. It is also equally important to involve key stakeholders from the IT, legal and human resources departments in the policy development process to address issues easier during this time.
- Promote New Security Policies: After the policies are approved, it is time to implement them. First start by asking a key executive to send an informative email about the new policy to the organization. Next, send an email with links to the network location of the new policies to all users. Be sure to allow a reasonable grace period for compliance, which is normally three to six months. Lastly, ensure the new policy content is incorporated into the organization’s security awareness training program.