As an independent consultant who writes information security policies for various organizations, I'm exposed to...
a wide variety of policy development and refinement approaches. I often get calls from organizations that simply want an updated policy, and they want it done cheap and fast. These management executives often view an information security policy as one of those "necessary evils" that they must attend to -- something they would rather ignore. They often see security policies as isolated documents, something unconnected to other business activities.
These organizations typically move towards updating a policy when an adverse security-related event or a disturbing audit finding flags an information security deficiency. Sometimes, it's a relatively minor problem -- such as a termination dispute with an ex-employee. For example, an ex-employee may have kept a personal computer provided by the organization, which in itself may be fine, but becomes a big deal when the employee stores confidential internal information on it. Such problems make it clear to management that a policy may be outdated and/or unsuitable. While it's human nature to ignore things until they become problems, it's not a prudent approach. If your organization waits for problems to trigger policy updates, management might not recognize the need to have an integrated risk management process for managing information security policies.
An integrated risk management process is a formalized and ongoing process to assess changing information security risks; it also engages management in the decision-making about these risks, determines the success of efforts taken to date and outlines which, if any, corrective actions should be taken. A formal risk management process typically involves risk assessments, current configuration vulnerability identification efforts, public vulnerability report analysis, budget preparation and variance analysis. It also addresses project plans and status reports, internal audits and management responses to these audits, post-mortem project reviews, documented requirement definitions (e.g. information security policies), as well as training and awareness efforts. There are different ways to characterize the process, but basically it's an iterative approach, which involves multiple inputs, outputs and feedback loops. Each organization will take a slightly different track, reflecting their unique needs and circumstances.
If your organization views policy update and refinement as an occasional corrective effort, that's a bad sign; management execs may not see the need to establish a formal process. Typically, organizations will adopt a risk management process after suffering great pain and realizing that they need more than a reactive short-term response. For example, lax handling of customer financial information may have facilitated identity theft abuses, resulting in legal or public relations trouble. Experiences like that can cost big money, and consume a great deal of management's time.
Information security changes rapidly, and is too complex and important for management to simply revise a policy as an isolated document. An arms-length approach to policy management isn't conducive to the evolution of an effective information security effort. It lacks a refinement process to address needed input, resources and the credibility that's essential for success. Information security that's integrated with computer-assisted business as an ongoing risk management process will identify and refine needed requirements that get documented as policy.
About the author
Charles Cresson Wood, CISSP, CISA, CISM, is an independent information security consultant based in Sausalito, Calif. He specializes in the development of information security documents including policies, standards, procedures and job descriptions. He is also the author of the book and CD-ROM entitled Information Security Policies Made Easy.