Tip

One internal source for all information security policies

Remember the aphorism "the road to hell is paved with good intentions"? Information security policies illustrate this principle. In this case, the hell is inconsistent policies issued by different departments. This tip covers the importance of centralized policy issuance as a critical but all-too-often missing management approach.

When issued by different departments, multiple policies often lack sufficient management approval, advance coordination between departments, research into the organization's true problems, as well as a long-term view. These problems are the direct result of different people quite sincerely being worried about information security, people who proactively decide they are going to something about it.

Despite these good intentions, the mish-mash of policies is frequently dysfunctional and ineffective. These policies are often confusingly written, many are overlapping with and/or in direct opposition to previously-issued policies, many are shallow and unresponsive to the organization's needs, many are out-of-date, and when they are contested it becomes clear that many are also unenforceable. This mish-mash of policies frequently covers a wide variety of topics, some of which may not even be within the scope of that organization's definition of information security.

To clean up this mess or -- better yet -- prevent it from happening in the first place, be sure that only one organizational unit is issuing and updating information security

    Requires Free Membership to View

policies. To support a single organizational unit in doing this, management should adopt an information security unit mission statement that clearly specifies that the publication of information security requirements are the responsibility of this single unit. Hopefully this unit is an Information Security Department, but the approach will still work if the unit is a sub-group of another department such as Information Systems or Industrial Security.

To make it crystal clear who is to issue policies, it is also necessary to document and get proper approval for specific job descriptions, such as that for an Information Security Manager. Likewise, the reporting relationships between the information security unit and other units must also be clarified, documented and approved by management. A clear job description will specify duties like the development and issuance of policies, and a clear reporting relationship will eliminate any confusion about who is to review and approve of these same policies.

Information security can no longer be approached as a one-time project or an issue that is addressed only when serious problems come to light. Information security needs to be recognized as a legitimate on-going organizational function, and this means that staff need to take time out to define roles and responsibilities along the lines of department mission statements, job descriptions and reporting relationships. Without defining roles and responsibilities clearly and definitively, without getting top management's buy-in to information security as an on-going organizational function that every modern organization absolutely must have, we will see the continued serious understaffing of the information security function.

About the author
Charles Cresson Wood, CISSP, CISA, is an independent information security consultant based in Sausalito, Calif. He specializes in the development of information security documents including policies, standards, procedures, and job descriptions. He is also the author of Information Security Policies Made Easy.

This was first published in March 2004

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.