Tailor Making the Perfect Policy for your Organizations Security#

A good policy should: Be simple to grasp in order to suit the needs of a business. It is critical that the information supplied fulfills the needs of the target audience. All too frequently, subject matter experts write rules, standards, and procedures that are subsequently distributed to a wider audience. When the average reading and comprehension level in the workplace is that of a sixth grader, the content is frequently prepared at the college level (a 12- year-old). Be relevant. When developing policy, the writer may conduct research on other organizations and literally duplicate that text. It is critical, however, to ensure that whatever is written matches the demands of your unique company.

Make it possible. Can the company and its workers still achieve their goals if the policy is implemented? I’ve seen several companies write the ultimate security policy only to discover that it was so restricted that the organization’s goal was jeopardized.

Be gradually introduced. Allowing the organization to study and absorb the policy before it goes into force may be required. Many businesses will announce a policy and then demand business units to submit a compliance plan within a certain number of days following the policy’s release. This gives business unit managers time to evaluate the policy, decide where their company may be lacking, and then submit a compliance timeline. These compliance letters are often retained on file and made available to audit personnel.

Take the initiative. Specify what has to be done. Try to be specific about what can be done and what is expected of them.

Avoid using absolutes. Never, ever say never. Be polite and grasp what is politically right to say. Use a softer, kinder approach.

Comply with corporate objectives. Security experts must keep in mind that the controls must assist the company in achieving an acceptable level of risk. A security program that is 100 percent effective may result in zero percent productivity. When controls or policy have an influence on the organization’s business objectives or mission, the controls and policy lose. Work to realize that the policy exists to assist the business, not vice versa.

The precise format (style) of a policy will be determined by how policies are presented inside a given company. It is critical that any policies produced resemble the organization’s declared policies. If the new policy does not appear to be a policy, certain members of the review panel will be unable to read and analyze it.

Policies are often brief (in compared to procedures and practices), with only a page or two of text. Information is an asset and the organization’s property. All personnel are responsible for preventing illegal access, alteration, disclosure, or destruction of that asset.

It is useful to understand that there are three sorts of policies that will be employed throughout the construction of a security document when designing policies:

General— This is used to develop an organization’s overarching information security vision.
Topic-specific– These policies target specific issues. Each part of an information security document will often include a topic-specific policy.
Application-specific– These are decisions made by management to safeguard specific apps or systems.