Tier-1 policy overview: Conflict of interest, performance management

As I discussed in my previous tip on Tier-1 policies, information security is not limited to the IT department. It must be part of every facet of the organization. This tip looks at four corporate-level Tier 1 policies that require information security input. For information security professionals, the Information Security Policy is the foundation upon which the entire program will be erected.

Conflict of Interest – Company employees are expected to adhere to the highest standards of conduct. To assure adherence to these standards, employees must have a special sensitivity to conflict-of-interest situations or relationships, as well as the inappropriateness of personal involvement in them. While not always covered by law, these situations can harm the company or its reputation if improperly handled. Discussion about due diligence should also be addressed in the Conflict-of-Interest Policy. Many organizations restrict Conflict-of-Interest Policy requirements to management levels. However, all employees should be required to annually review and sign a responsibility statement.

• Download the on-demand webcast, "Essential strategies for policy development," with guest speaker Charles Cresson Wood.
• Read part one of Tier-1 policies overview, also by Thomas Peltier.
• Learn the benefits of centralized policy issuance in this policy tip written by Charles Cresson Wood.

Performance Management – This policy discusses how employee job performance is to be used in determining an employee's appraisal. Information security requirements should be included as an element that affects the level of employee performance. As discussed in my previous tip, written job descriptions will ensure that employees are reviewed at least annually, and that reviews are conducted fairly on how employees do their job and contribute to the organization's information security efforts.

Employee Discipline – This policy outlines the disciplinary steps that are to be taken when things go wrong. As with all policies, it discusses who is responsible for what and leads those individuals to more extensive procedures. This policy is important for an effective information security program. When an investigation begins, it may eventually lead to a need to implement sanctions on an employee or group of employees. Having a policy that establishes who is responsible for administering these sanctions will ensure that all involved in the investigation are properly protected.

Information Security – This is the cornerstone of the information security program and works in close harmony with the enterprise-wide Asset Classification Policy and the Records Management Policy (which we'll go over in future Policies Tips). This policy establishes the concept that information is an asset and the property of the organization and that all employees are required to protect this asset.

Changes to existing corporate policies will take the cooperation of the owner departments. The Conflict-of-Interest Policy is usually owned by Human Resources and administered by the Audit Department. Performance Management and Employee Discipline are the purview of Human Resources, and the CIO should own the Information Security Policy.

About the author
Tom Peltier has been an information security professional for more than twenty-five years. He has written books on information security policies and contributed to several books on CISSP preparation, and computer and data security.