• United States

Elements of security policy style, Part 5

Aug 21, 20032 mins
IT LeadershipNetworkingSecurity

* Tips for maintaining security policies

In this short series of articles, I am updating materials I wrote for Chapter 28 (“Security Policy Guidelines”) of _The Computer Security Handbook, 4th Edition_ . This fifth and final column provides suggestions on maintaining security policies.

There can be no fixed policy document that covers all eventualities. The information security field changes constantly, and so must policies. Information security is a process much like total quality management: for success, both require a thoroughgoing integration into corporate culture.

Above all, some named individuals must see maintaining security policies as an explicit part of their job descriptions. Hoping that someone will spontaneously maintain security policies is like hoping that someone will spontaneously maintain financial records. However, security policies should represent the best efforts of people from throughout the organization, not the arbitrary dictates of just one person.

Review Process

An information-protection working group can meet regularly – quarterly is a good frequency to try – to review all or part of the policies. Employees can be encouraged to suggest improvements in policies or to propose new policies. The working group can identify key areas of greatest change and work on those first, leaving minor policy changes to subcommittees. Members of the working group should discuss ideas with their colleagues from throughout the enterprise, not just with each other. Every effort should contribute to increasing the legitimate sense of involvement in security policy by all employees, including managers and executives.

Announcing Changes

Drafts of the new versions can be circulated to the people principally affected by changes so that their responses can improve the new edition. Truly respectful enquiry will result in a greater sense of ownership of the policies by employees, although few of them will rejoice in the new policies. Some employees will see new security policies merely as a mild irritant, while others may view them as a tremendous obstacle to productivity, and a general nuisance.

Ideally, major changes in policy should be described and explained in several ways. For example, a letter or e-mail (digitally signed, one hopes) from the president, chair of the board of directors, chief officers (CEO, CIO, CFO), or the chief information security officer can announce important changes in policy and the reasons for the changes. A brief article in the organization’s internal newsletter, or a spot on the intranet, can also provide channels for communicating policy decisions to everyone involved.