Security policies: Don’t be an army of one

Harris Weisman’s recent article “Security policies: Don’t be an army of one”:

One of the most difficult duties the majority of information security professionals face is the development, implementation and enforcement of information security policies. While many organizations accept the fact that security policies are needed, more often than not projects that address policy issues are given a low priority, insufficient resources and inadequate funding. In many cases, information security professionals are left on their own to create and implement policy, train staff and run enforcement.

However, with the change in the legislative climate (the passing of SOX, GLBA and HIPAA), organizations can no longer afford to relegate information security policies to the back burner. Information security professionals must therefore spur the organization into action.

For successful implementation of security policy, the following departments of an organization should be involved: executive management, the Board of Directors, auditors, as well as employees from around an organization. “The key to obtaining their support is to help them understand the importance of security policies and policy enforcement”.

External auditors can be a great resource and their advice is often taken more seriously by management. Auditors may also be able to provide you with a list of resources and contacts, and act as a sounding board. It is better to obtain and implement auditors’ input before an actual audit, since an unfavorable audit could have an adverse effect on year-end reporting. Remember to “keep your friends close and your enemies closer.”

When creating your own security policy, you may use existing policy resources from reputable sources. You can also discuss your security policy with “business peers, trade associations, or regional and national information security organizations”.

To enforce your security policy within an organization, make sure all employees understand the security policies that pertain to their role in the organization. “A policy that no one knows about cannot be enforced”. Showing employees what they need to do and how they can make an impact on the security of the organization can help motivate them to abide by the policies and assist in policy enforcement.

This blog is run by the authors of FindProtected.
FindProtected is a security program that allows you to search for password protected files. With FindProtected, you can effectively identify protected files containing sensitive data on your network.

Comments are closed.