Security Policy Lifecycle

“Staying ahead and maintaining a healthy, robust policy programme requires diligence throughout the security lifecycle”. Generaly, the security lifecycle includes the following phases:

a. Policy Development Phase
b. Enforcement Phase
c. Assurance phase

To keep a security policy healthy throughout the lifecycle, consider your security policy impact:

1.Security is inconvenient: Recognise and respect security’s disruptions of the business process and daily life. You need not make the process transparent, but each extra step, each extra disruption, makes non- compliance more likely.

2. Avoid Excessive Complexity: Strive for common security tools that have already been tested and proven.

3. Prosecution or reprimand: Decide in advance how far to go, and get management buy-in. If you decide against prosecution in favour of reprimand, it is less important to build evidence once a hack is discovered.

4. Punishment to fit crime: You may merely reprimand employees for sending personal email on the company network, but you want to prosecute someone who hacks the pay toll. Decide in advance how far you will go.

Painless policy in practice:
While on rounds a bank’s security staff enforced a policy that unattended workstations must be secured with password protected screen server. They placed yellow notes reading, “Security needs your help. Please lock your workstation”, over unprotected monitors. This non-disruptive reminder helped change the user community. Bankers would leave their desks for lunch, then return saying, “ I better lock my screen so I do not get one of those yellow notes” .

See “Why information security policies fail”.

This blog is run by the authors of FindProtected.
FindProtected is a security program that allows you to search for password protected files. With FindProtected, you can effectively identify protected files containing sensitive data on your network.

Leave a Reply