Developing a policy your company can adhere to

Beyond making statements that are clearly not grounded in the technology, organizations publishing security and privacy policies should be on the lookout for black-and-white thinking. Perhaps the most common example is a policy that forbids personal use of organizational computing resources. Realistically, people will use computing systems to attend to personal matters like scheduling a baby sitter because they are required to work late. To forbid workers from using information systems in this manner only causes workers to ignore and lose respect for the policies. Having a variety of people review the wording of policies will ensure that they are both reasonable and sound.

As illustrated above, policies should not be at odds with the way workers actually interact with information systems. If there is a difference, then it's either time to initiate serious training and awareness efforts, or strike an agreement on how and when the involved workers or systems will move into compliance. If management isn't going to follow through and fix the disparity, then it's time to change the policy so that it's consistent with the real world.

A surprising number of managers don't know if there is a variance between policies and what's happening in the organization. This is where compliance checking comes in. Compliance checking should be achieved with both manual and automated methods. Manual methods include so-called "desk checks," which involve an after hours sweep through the office, looking for passwords written down and posted in conspicuous places, confidential material that is not locked-up, etc. Automated methods include running vulnerability-identification software that checks that all internal network-connected systems are configured and managed according to both policies and standards. To be taken seriously, all policies must be supported by regular compliance checking.

When a deviation from policy is discovered, management is legally on notice that there's a problem that needs fixing. In other words, prompt action needs to be taken in order to avoid charges of negligence. In more instances than many of us information security folk would like to admit, the action that might be most appropriate is to change the policy itself. Policies should be dynamic and regularly updated to reflect changing conditions both inside and outside the organization. A formal process for reviewing policies, developing proposed changes and obtaining management approval for proposed changes should be established and followed on a regular basis, preferably annually.

About the author
Charles Cresson Wood, CISSP, CISA, CISM, is an independent information security consultant based in Sausalito, California. He specializes in the development of information security documents including policies, standards, procedures, and job descriptions. He is also the author of Information Security Policies Made Easy.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Compliance Counselor,   Information Security Management,   Information Security Policies, Procedures and Guidelines,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Compliance Counselor Identity lifecycle management for security and compliance Interpreting 'risk' in the Massachusetts data protection law FTC Red Flags Rules: How to create an identity theft prevention plan Creating a HIPAA employee training program Data protection tips for corporate compliance leaders PCI DSS compliance requirements: Ensuring data integrity Understanding PCI DSS compliance requirements for log management Are 'strong authentication' methods strong enough for compliance? Strategies for using technology to enable automated compliance Common PCI questions: Web application firewalls or source code review? Information Security Policies, Procedures and Guidelines Health Net breach failure of security policy, technology How to protect distributed information flows Essential guide: Pandemic planning for H1N1 Whitelists, SaaS modify traditional security, tackle flaws Melissa Hathaway urges more cooperation, government attention to cybersecurity Reuters: Obama ready to select cyber security czar How a corporate Twitter policy can combat social network threats Should enterprises be concerned with Twitter in the workplace? Information security management hype: Debunking best practices Data breach avoidance begins with security basics, panel says RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary defense in depth  (SearchSecurity.com) non-disclosure agreement  (SearchSecurity.com) security policy  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.