No matter how thorough and extensive your research and preparation, no security policy exists that distinctly addresses...
every possible current and future security infraction. Most security policies address the larger and more significant issues on an issue by issue basis and provide general guidelines on how to manage the bulk of other issues. Well designed security policies address known or current issues fairly adequately. The real problem lies in the unpredictable nature of the future and the ever expanding collection of vulnerabilities and risk.
Networks are not static entities, they are constantly evolving, growing, and changing. Some of these activities are closely restricted, controlled, and monitored. Some are uncontrollable aspects of the technologies while others are intentionally implemented. No matter what the perspective or intention, as things change new risks and new vulnerabilities are bound to be generated.
As new problems are discovered either by self-examination (i.e. internal penetration testing, security auditing, etc.) or through incident handling, your organization's security policy should be updated. I'm not referring to a complete revision (unless it has been shown to have an unstable foundation), but rather a surgical repair, addition, or update that improves the overall document. Minor changes to your security policy in response to the ever-changing environment of your organization will help maintain the security solution you so desperately need. Failing to adjust your policies as you discover new issues will do nothing but prepare you for failure, often sooner than you think.
Changes to your security policy can take the form of addendums or amendments to the actual policy document or alterations to the standards, guidelines, or procedural documents which flesh out the general principles of the security policy.
In today's high-risk business environment, you must learn to adjust your security to changing conditions just to remain a viable organization. Building in procedures and processes to accomplish this is important. When possible, build in these facets from the beginning. If they are not already present, make the effort to shoe-horn them into your security policy infrastructure. You'll be glad you did.
About the author
James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.