The requirement for information security policies is growing across industries. The route taken to developing, updating, communication and tracking compliance to security polices can have far-reaching cost and efficiency implications. The inclusion of an automated approach to policy development and ongoing maintenance is proving to save costs and improve the effectiveness of the entire information security programme.
An effective organisational security programme can`t be implemented without first completing a risk assessment study, which helps determine the value of information assets and the level of security required to protect them. Policy development and implementation should follow risk assessment as the next step. Information security policies will provide the direction to implement both technical and people controls throughout the organisation.
Maintaining up-to-date information security policies hold numerous benefits including helping to ensure that security controls are consistently applied across an organisation, and eliminating ambiguity that can lead to incompatibility. Internal auditors require written policies to carry out responsibilities, and policies are also essential for discipline and prosecution purposes.
Once the benefits of developing, communication and enforcing security policies are accepted, the organisation needs to select between developing policies in-house, acquiring a consultant or utilising existing templates and tools on the market. Formulating security polices internally is cost-effective and the company will end up with a highly customised set of policies. Disadvantages to this route include long lead times, lack of internal security policy expertise and reduced access to upper management. Hiring a consultant comes at a cost and it may be hard to find one with experience in security policy - as opposed to technology - implementation. Benefits include faster speed of development and implementation, information security policy experience and the ability to communicate more easily with top management. Yet, consultants may lack organisation-specific knowledge and require more time reviewing the deliverables.
The third option is suited to organisations that don`t have the time or money to reinvent the wheel and rather use authoritative template material as a starting point. This approach provides results faster and at a lower cost than hiring a consultant. Periodic revisions and updates to the template material will also guide the organisation in maintaining security policies. Using template material may involve more upfront costs than developing polices in-house and will also require some internal expertise to customise sections of the template material to fit specific organisational requirements.
Once a policy has been written and approved, it needs to be communicated. This can be achieved in person, in writing, through information systems or other awareness methods. A combined approach would normally prove most effective. Although credible, communicating policies in person is costly and time-consuming and can suffer from inconsistency. The traditional paper policy document is desirable because recipients` signatures can be obtained and the physical document reinforces the intent. Unfortunately, security policies can become lengthy, making them cumbersome to use and update.
Utilising information systems for communicating security policies could involve computer-based training or publishing policies on the company intranet. Using computers brings a host of additional capabilities, such as the ability to post questionnaires online and measure levels of understanding. For example, VigilEnt Policy Center from NetIQ allows reports to be generated indicating which recipients have read a policy, as well as who obtained a passing score on an associated questionnaire. This automated approach will enable the delivery of policies to select groups at precise times. It also serves as a useful tool during compliance monitoring, as clicking "I accept" - for example - serves as a record that the recipient has seen the policy.
VigilEnt Policy Center, distributed locally by 10Net, improves efficiency by speeding the creation of policies, using the content libraries that incorporate the latest in best practice standards. The system also provides a facility for distributing policies for review, obtaining comments and approvals, and publishing the final version. All versions are archived and tracked creating a complete audit trail of all polices and other content ever issued.
Share
Editorial contacts