Avoiding change in security policies

Change is a necessary component of organizational growth. However, information security policies can become outdated and sometimes aren't flexible enough to adapt to the requirements of a changed organization. Therefore, security professionals must ensure there are procedures in place that minimize the impact on an organization by effectively managing change.

The most effective way to manage change in security policies is to prevent it from being necessary in the first place. Take a big picture view when designing security policies. Try to make them flexible enough to handle the two major causes of change:

• Growth in the organization. The organization may simply grow too large for a previously effective security policy to continue. When developing policies, think about and plan for scalability. Ask the questions, "How well will this policy work when we're twice the size we are now? How about when we're 10 times the size?"
• Advances in technology. Security policies should be technology-neutral. If you describe specific technologies in your policy, it's inevitable that those technologies will become outdated, and you'll need to revise the policy to reflect those changes. Instead of describing technologies, describe specific business requirements. For example, don't state, "All employees must use RSA SecurID tokens when remotely accessing corporate networks." Instead, you should write, "All employees must use approved access control technologies when remotely accessing corporate networks." You can then supplement the policy with a list of approved technologies that can be updated on a more frequent basis, leaving the policy itself intact.

If the committee developing your security policies abides by these two principles, you'll be light-years ahead of the pack. It's perfectly reasonable to expect that policies designed by these standards will survive for years, rather than months without requiring modifications.

Remember, however, that change is inevitable. You will eventually need to make modifications to your policy, so ensure that you have an appropriate change control policy in place before issuing new security policies. This will ensure a smooth transition when the organization's needs eventually surpass the coverage of your policies.

About the author
Mike Chapple, CISSP, currently serves as Chief Information Officer of the Brand Institute, a Miami-based marketing consultancy. He previously worked as an information security researcher for the U.S. National Security Agency. His publishing credits include the TICSA Training Guide from Que Publishing, the CISSP Study Guide from Sybex and the upcoming SANS GSEC Prep Guide from John Wiley. He's also the About.com Guide to Databases.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Compliance Counselor Learning the language of global compliance WEP to WPA: Wireless encryption in the wake of PCI DSS 1.2 HIPAA privacy regulations get some teeth: Be prepared PCI version 1.2 clarifications: How to get an early start on compliance audits Version 1.2 of Payment Card Industry (PCI) Data Security Standard answers questions, raises others Security certifications: Are they worth the trouble? How to look past information security vendor rhetoric Compliance recycling: Combining compliance efforts to manage PCI DSS Web 2.0 and e-discovery: Risks and countermeasures Learn from NIST: Best practices in security program management Creating and Managing Information Security Policies Learning the language of global compliance IT security pros face challenge during economic crisis Interview: Chris Nickerson of TruTV's 'Tiger Team' IT security not valued at many firms, study finds What value do research firms provide to enterprises that subscribe to their services? Sound compliance policies, practices reduce legal costs Exploring Microsoft's Network Access Protection policy options IAM best practices for employees with varying degrees of access to the same computer How to avoid DLP implementation pitfalls Is there a published standard or guideline for system hardening? Creating and Managing Information Security Policies Research RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary defense in depth  (SearchSecurity.com) non-disclosure agreement  (SearchSecurity.com) security policy  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.