Change is a necessary component of organizational growth. However, information security policies can become outdated and sometimes aren't flexible enough to adapt to the requirements of a changed organization. Therefore, security professionals must ensure there are procedures in place that minimize the impact on an organization by effectively managing change.

The most effective way to manage change in security policies is to prevent it from being necessary in the first place. Take a big picture view when

    Requires Free Membership to View

designing security policies. Try to make them flexible enough to handle the two major causes of change:
  • Growth in the organization. The organization may simply grow too large for a previously effective security policy to continue. When developing policies, think about and plan for scalability. Ask the questions, "How well will this policy work when we're twice the size we are now? How about when we're 10 times the size?"
  • Advances in technology. Security policies should be technology-neutral. If you describe specific technologies in your policy, it's inevitable that those technologies will become outdated, and you'll need to revise the policy to reflect those changes. Instead of describing technologies, describe specific business requirements. For example, don't state, "All employees must use RSA SecurID tokens when remotely accessing corporate networks." Instead, you should write, "All employees must use approved access control technologies when remotely accessing corporate networks." You can then supplement the policy with a list of approved technologies that can be updated on a more frequent basis, leaving the policy itself intact.

If the committee developing your security policies abides by these two principles, you'll be light-years ahead of the pack. It's perfectly reasonable to expect that policies designed by these standards will survive for years, rather than months without requiring modifications.

Remember, however, that change is inevitable. You will eventually need to make modifications to your policy, so ensure that you have an appropriate change control policy in place before issuing new security policies. This will ensure a smooth transition when the organization's needs eventually surpass the coverage of your policies.

About the author
Mike Chapple, CISSP, currently serves as Chief Information Officer of the Brand Institute, a Miami-based marketing consultancy. He previously worked as an information security researcher for the U.S. National Security Agency. His publishing credits include the TICSA Training Guide from Que Publishing, the CISSP Study Guide from Sybex and the upcoming SANS GSEC Prep Guide from John Wiley. He's also the About.com Guide to Databases.

This was first published in February 2004

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.