Remember the aphorism "the road to hell is paved with good intentions"? Information security policies illustrate...
this principle. In this case, the hell is inconsistent policies issued by different departments. This tip covers the importance of centralized policy issuance as a critical but all-too-often missing management approach.
When issued by different departments, multiple policies often lack sufficient management approval, advance coordination between departments, research into the organization's true problems, as well as a long-term view. These problems are the direct result of different people quite sincerely being worried about information security, people who proactively decide they are going to something about it.
Despite these good intentions, the mish-mash of policies is frequently dysfunctional and ineffective. These policies are often confusingly written, many are overlapping with and/or in direct opposition to previously-issued policies, many are shallow and unresponsive to the organization's needs, many are out-of-date, and when they are contested it becomes clear that many are also unenforceable. This mish-mash of policies frequently covers a wide variety of topics, some of which may not even be within the scope of that organization's definition of information security.
To clean up this mess or -- better yet -- prevent it from happening in the first place, be sure that only one organizational unit is issuing and updating information security policies. To support a single organizational unit in doing this, management should adopt an information security unit mission statement that clearly specifies that the publication of information security requirements are the responsibility of this single unit. Hopefully this unit is an Information Security Department, but the approach will still work if the unit is a sub-group of another department such as Information Systems or Industrial Security.
To make it crystal clear who is to issue policies, it is also necessary to document and get proper approval for specific job descriptions, such as that for an Information Security Manager. Likewise, the reporting relationships between the information security unit and other units must also be clarified, documented and approved by management. A clear job description will specify duties like the development and issuance of policies, and a clear reporting relationship will eliminate any confusion about who is to review and approve of these same policies.
Information security can no longer be approached as a one-time project or an issue that is addressed only when serious problems come to light. Information security needs to be recognized as a legitimate on-going organizational function, and this means that staff need to take time out to define roles and responsibilities along the lines of department mission statements, job descriptions and reporting relationships. Without defining roles and responsibilities clearly and definitively, without getting top management's buy-in to information security as an on-going organizational function that every modern organization absolutely must have, we will see the continued serious understaffing of the information security function.
About the author
Charles Cresson Wood, CISSP, CISA, is an independent information security consultant based in Sausalito, Calif. He specializes in the development of information security documents including policies, standards, procedures, and job descriptions. He is also the author of Information Security Policies Made Easy.