An Information Security Policy is the cornerstone of an Information Security Program. It should reflect the organisation's objectives for security and the agreed upon management strategy for securing information.
In order to be useful in providing authority to execute the remainder of the Information Security Program, it must also be formally agreed upon by executive management. This means that, in order to compose an information security policy document, an organisation has to have well-defined objectives for security and an agreed-upon management strategy for securing information. If there is debate over the content of the policy, then the debate will continue throughout subsequent attempts to enforce it, with the consequence that the Information Security Program itself will be dysfunctional.
There are a plethora of security-policy-in-a-box products on the market, but few of them will be formally agreed upon by executive management without being explained in detail by a security professional. This is not likely to happen due to time constraints inherent in executive management. Even if it was possible to immediately have management endorse an off-the-shelf policy, it is not the right approach to attempt to teach management how to think about security. Rather, the first step in composing a security policy is to find out how management views security. As a security policy is, by definition, a set of management mandates with respect to information security, these mandates provide the marching orders for the security professional. If the security professional instead provides mandates to executive management to sign off on, management requirements are likely to be overlooked.
A security professional whose job it is to compose security policy must therefore assume the role of sponge and scribe for executive management. A sponge is a good listener who is able to easily absorb the content of each person's conversation regardless of the group's diversity with respect to communication skills and culture. A scribe documents that content faithfully without embellishment or annotation. A good sponge and scribe will be able to capture common themes from management interviews and prepare a positive statement about how the organisation as a whole wants its information protected. The time and effort spent to gain executive consensus on policy will pay off in the authority it lends to the policy enforcement process.
Good interview questions that solicit management's opinions on information security are:
* How would you describe the different types of information you work with?
* Which types of information do you rely on to make decisions?
* Are there any information types that are more of a concern to keep private than others?
Registration is free, and gives you full access to our extensive white paper library, case studies & analysis, downloads & speciality areas, and more.
From these questions, an information classification system can be developed (e.g. customer info, financial info, marketing info, etc), and appropriate handling procedures for each can be described at the business process level.
Of course, a seasoned security professional will also have advice on how to mold the management opinions with respect to security into a comprehensive organisational strategy. Once it is clear that the security professional completely understands management's opinions, it should be possible to introduce a security framework that is consistent with it. The framework will be the foundation of the organisation's Information Security Program, and thus will service as a guide for creating an outline of the information security policy.
Often, a security industry standards document is used as the baseline framework. For example, the Security Forum's Standard of Good Practice (www.securityforum.org), the International Standards Organization's, Security Management series (27001, 27002, 27005, www.iso.org), and the Information Systems Audit and Control Association's Control Objectives for Information Technology (CoBIT, www.isaca.org). This is a reasonable approach, as it helps to ensure that the policy will be accepted as adequate not only by company management, but also by external auditors and others who may have a stake in the organisation's Information Security Program.
However, these documents are inherently generic and do not state specific management objectives for security. So they must be combined with management input to produce the policy outline. Moreover, it is not reasonable to expect the management of an organisation to change the way the organisation is managed in order to comply with a standards document. Rather, the information security professional may learn about good security management practices from these documents, and see if it is possible to incorporate them into the current structure of the target organisation.
Be the first to comment on this article!