Write your security policies last!

To secure your business’s confidential information against all kinds of malicious activity, you need to have a comprehensive security policy. Each organzation should work out its own security policy, depending on its security profile. It must not interfere with common business procedures but rather provide for data integrity and availability. Security policy should take into consideration what kind of protection level should be applied for certain information assets. It should as well locate all sensitive information and store it properly.

Steve Fallin in Procrastinators, unite: write your security policy last! says that “writing security policies often seems like a nuisance whenever time and resources are short”. It proves to be more effective to work out a security policy based on well-documented business processes.

The existence of a policy supposes that you understand something-or-other in your organization well enough to make rational decisions about it. That level of knowledge comes only from experience. The only way to catalog that experience is to study what you do now: not the security technology, but the business processes that require the technology.

In other words, you have to know what your business procedures are before you write a security policy. You should analyze your business processes, risks and mitigation strategies first.

Leave a Reply