Avoiding change in security policies

Change is a necessary component of organizational growth. However, information security policies can become outdated and sometimes aren't flexible enough to adapt to the requirements of a changed organization. Therefore, security professionals must ensure there are procedures in place that minimize the impact on an organization by effectively managing change.

The most effective way to manage change in security policies is to prevent it from being necessary in the first place. Take a big picture view when designing security policies. Try to make them flexible enough to handle the two major causes of change:

• Growth in the organization. The organization may simply grow too large for a previously effective security policy to continue. When developing policies, think about and plan for scalability. Ask the questions, "How well will this policy work when we're twice the size we are now? How about when we're 10 times the size?"
• Advances in technology. Security policies should be technology-neutral. If you describe specific technologies in your policy, it's inevitable that those technologies will become outdated, and you'll need to revise the policy to reflect those changes. Instead of describing technologies, describe specific business requirements. For example, don't state, "All employees must use RSA SecurID tokens when remotely accessing corporate networks." Instead, you should write, "All employees must use approved access control technologies when remotely accessing corporate networks." You can then supplement the policy with a list of approved technologies that can be updated on a more frequent basis, leaving the policy itself intact.

If the committee developing your security policies abides by these two principles, you'll be light-years ahead of the pack. It's perfectly reasonable to expect that policies designed by these standards will survive for years, rather than months without requiring modifications.

Remember, however, that change is inevitable. You will eventually need to make modifications to your policy, so ensure that you have an appropriate change control policy in place before issuing new security policies. This will ensure a smooth transition when the organization's needs eventually surpass the coverage of your policies.

About the author
Mike Chapple, CISSP, currently serves as Chief Information Officer of the Brand Institute, a Miami-based marketing consultancy. He previously worked as an information security researcher for the U.S. National Security Agency. His publishing credits include the TICSA Training Guide from Que Publishing, the CISSP Study Guide from Sybex and the upcoming SANS GSEC Prep Guide from John Wiley. He's also the About.com Guide to Databases.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Compliance Counselor,   Information Security Policies, Procedures and Guidelines,   Information Security Management,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Compliance Counselor Identity lifecycle management for security and compliance Interpreting 'risk' in the Massachusetts data protection law FTC Red Flags Rules: How to create an identity theft prevention plan Creating a HIPAA employee training program Data protection tips for corporate compliance leaders PCI DSS compliance requirements: Ensuring data integrity Understanding PCI DSS compliance requirements for log management Are 'strong authentication' methods strong enough for compliance? Strategies for using technology to enable automated compliance Common PCI questions: Web application firewalls or source code review? Information Security Policies, Procedures and Guidelines Health Net breach failure of security policy, technology How to protect distributed information flows Essential guide: Pandemic planning for H1N1 Whitelists, SaaS modify traditional security, tackle flaws Melissa Hathaway urges more cooperation, government attention to cybersecurity Reuters: Obama ready to select cyber security czar How a corporate Twitter policy can combat social network threats Should enterprises be concerned with Twitter in the workplace? Information security management hype: Debunking best practices Data breach avoidance begins with security basics, panel says RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary defense in depth  (SearchSecurity.com) non-disclosure agreement  (SearchSecurity.com) security policy  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.