Sharing the responsibility of developing policies

Sharing the responsibility of developing policies

As security professionals we often view the overall objective of an information security program is to protect the integrity, confidentiality and availability of information. While this is true from a security perspective, it is not the organization's objective. Information is an asset and must be shared throughout the organization with those that have a business need for access. Furthermore, information is an asset of the entire enterprise and all employees are responsible for protecting it.

An information protection program should be part of any organization's overall asset protection program. The information protection program is a business function that provides management with the processes needed to perform their fiduciary duty. That is, management is charged with a trust to ensure that adequate controls are in place to protect the assets of the enterprise. An information security program that includes policies, standards and procedures ensures that management can demonstrate this standard of due care.

There are at least twelve organization-wide (Tier-1) policies and each should include reference to information security. As information security professionals, it is our responsibility to implement policies that reflect the business and mission needs of the enterprise. While it is not our sole responsibility to develop policies, it is our responsibility to work with the other business units to ensure that the enterprise-wide responsibility to protect information

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

resources is included in all phases of the business process. In the chart below I've indicated the primary department responsible for developing each of the Tier-1 Policies, as well as the link to more information about each policy.

Tier-1 Corporate Policy Responsible Department
Employment Practices Human Resources
Employee Standards of Conduct Human Resources
Conflict of Interest Auditing
Performance Management Human Resources
Employee Discipline Human Resources
Information Security Information Security
Corporate Communications Corporate Communications – Public Relations
Procurement and Contracts Purchasing
Records Management Records Retention
Asset Classification Information Security
Work Place Security Physical Security
Business Continuity Planning Facilities Management

This was first published in June 2004

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

Back to top