Incidents should spur security policy updates

No matter how thorough and extensive your research and preparation, no security policy exists that distinctly addresses every possible current and future security infraction. Most security policies address the larger and more significant issues on an issue by issue basis and provide general guidelines on how to manage the bulk of other issues. Well designed security policies address known or current issues fairly adequately. The real problem lies in the unpredictable nature of the future and the ever expanding collection of vulnerabilities and risk.

Networks are not static entities, they are constantly evolving, growing, and changing. Some of these activities are closely restricted, controlled, and monitored. Some are uncontrollable aspects of the technologies while others are intentionally implemented. No matter what the perspective or intention, as things change new risks and new vulnerabilities are bound to be generated.

As new problems are discovered either by self-examination (i.e. internal penetration testing, security auditing, etc.) or through incident handling, your organization's security policy should be updated. I'm not referring to a complete revision (unless it has been shown to have an unstable foundation), but rather a surgical repair, addition, or update that improves the overall document. Minor changes to your security policy in response to the ever-changing environment of your organization will help maintain the security solution you so desperately

    Requires Free Membership to View

need. Failing to adjust your policies as you discover new issues will do nothing but prepare you for failure, often sooner than you think.

Changes to your security policy can take the form of addendums or amendments to the actual policy document or alterations to the standards, guidelines, or procedural documents which flesh out the general principles of the security policy.

In today's high-risk business environment, you must learn to adjust your security to changing conditions just to remain a viable organization. Building in procedures and processes to accomplish this is important. When possible, build in these facets from the beginning. If they are not already present, make the effort to shoe-horn them into your security policy infrastructure. You'll be glad you did.

About the author
James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.

This was first published in January 2003

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.