Change is a necessary component of organizational growth. However, information security policies can become outdated...
and sometimes aren't flexible enough to adapt to the requirements of a changed organization. Therefore, security professionals must ensure there are procedures in place that minimize the impact on an organization by effectively managing change.
The most effective way to manage change in security policies is to prevent it from being necessary in the first place. Take a big picture view when designing security policies. Try to make them flexible enough to handle the two major causes of change:
- Growth in the organization. The organization may simply grow too large for a previously effective security policy to continue. When developing policies, think about and plan for scalability. Ask the questions, "How well will this policy work when we're twice the size we are now? How about when we're 10 times the size?"
- Advances in technology. Security policies should be technology-neutral. If you describe specific technologies in your policy, it's inevitable that those technologies will become outdated, and you'll need to revise the policy to reflect those changes. Instead of describing technologies, describe specific business requirements. For example, don't state, "All employees must use RSA SecurID tokens when remotely accessing corporate networks." Instead, you should write, "All employees must use approved access control technologies when remotely accessing corporate networks." You can then supplement the policy with a list of approved technologies that can be updated on a more frequent basis, leaving the policy itself intact.
If the committee developing your security policies abides by these two principles, you'll be light-years ahead of the pack. It's perfectly reasonable to expect that policies designed by these standards will survive for years, rather than months without requiring modifications.
Remember, however, that change is inevitable. You will eventually need to make modifications to your policy, so ensure that you have an appropriate change control policy in place before issuing new security policies. This will ensure a smooth transition when the organization's needs eventually surpass the coverage of your policies.
About the author
Mike Chapple, CISSP, currently serves as Chief Information Officer of the Brand Institute, a Miami-based marketing consultancy. He previously worked as an information security researcher for the U.S. National Security Agency. His publishing credits include the TICSA Training Guide from Que Publishing, the CISSP Study Guide from Sybex and the upcoming SANS GSEC Prep Guide from John Wiley. He's also the About.com Guide to Databases.