Having trouble creating an effective security policy for your organization, but not sure of the best approach to developing one? You’re not alone.
It’s one thing to know how a security environment should be constructed, but translating this into a written set of enforceable rules is a discrete skill. Despite the wealth of resources on writing information security policies, companies still struggle with balancing the right level of guidance, a sufficiently direct style and a risk-based approach.
According to Rob McMillan, research director at Gartner: “If you can’t translate your requirements into effective policy, then you’ve little hope of your requirements being met in an enforceable way. But if you get it right, it will make a big difference in your organization’s ability to reduce risk.”
Your security policy defines and documents your organization’s established position about the security risks that must be controlled to meet the risk appetite of the business, which will ultimately fund security controls and bear any residual risk.
By 2018, 50% of organizations in supply chain relationships will use the effectiveness of their counterpart’s security policy to assess the risks in continuing the relationship, up from 5% today. The importance of an effective security policy can’t be ignored.
Approach security policy development as a process
It’s a mistake to assume that you can successfully develop policy by having a knowledgeable person compose a document in one sitting in isolation from the rest of the organisation. This will alienate the rest of the organisation and lead to high levels of resistance and counter productivity.
“Successful policy outcomes almost always require a process of consultation and iteration before a final, sustainable policy position is drafted,” says McMillan. “If you can’t defend your process, then you can’t defend your policy.”
Policies also require universal support, otherwise they can be undermined if the stakeholders affected by them have not helped to shape the outcome. Consult with each business unit that is affected by the policy if it’s to be politically and pragmatically viable. Ensure wide-ranging support at the senior management level prior to seeking final approval from the CEO or equivalent position.
A common criticism of policies and standards is that they often can tell people what they cannot do, but rarely tell people what they can do. Test out a number of actual scenarios that staff members are faced with, and determine how the policy supports or inhibits them.
Don’t forget compliance. If you can’t verify compliance, then it’s possible that the policy statement may be unenforceable. You don’t want to be left with a control that is not fully effective in mitigating risks.