Tier-1 policy overview: Conflict of interest, performance management

As I discussed in my previous tip on Tier-1 policies, information security is not limited to the IT department. It must be part of every facet of the organization. This tip looks at four corporate-level Tier 1

    Requires Free Membership to View

policies that require information security input. For information security professionals, the Information Security Policy is the foundation upon which the entire program will be erected.

Conflict of Interest – Company employees are expected to adhere to the highest standards of conduct. To assure adherence to these standards, employees must have a special sensitivity to conflict-of-interest situations or relationships, as well as the inappropriateness of personal involvement in them. While not always covered by law, these situations can harm the company or its reputation if improperly handled. Discussion about due diligence should also be addressed in the Conflict-of-Interest Policy. Many organizations restrict Conflict-of-Interest Policy requirements to management levels. However, all employees should be required to annually review and sign a responsibility statement.


Performance Management – This policy discusses how employee job performance is to be used in determining an employee's appraisal. Information security requirements should be included as an element that affects the level of employee performance. As discussed in my previous tip, written job descriptions will ensure that employees are reviewed at least annually, and that reviews are conducted fairly on how employees do their job and contribute to the organization's information security efforts.

Employee Discipline – This policy outlines the disciplinary steps that are to be taken when things go wrong. As with all policies, it discusses who is responsible for what and leads those individuals to more extensive procedures. This policy is important for an effective information security program. When an investigation begins, it may eventually lead to a need to implement sanctions on an employee or group of employees. Having a policy that establishes who is responsible for administering these sanctions will ensure that all involved in the investigation are properly protected.

Information Security – This is the cornerstone of the information security program and works in close harmony with the enterprise-wide Asset Classification Policy and the Records Management Policy (which we'll go over in future Policies Tips). This policy establishes the concept that information is an asset and the property of the organization and that all employees are required to protect this asset.

Changes to existing corporate policies will take the cooperation of the owner departments. The Conflict-of-Interest Policy is usually owned by Human Resources and administered by the Audit Department. Performance Management and Employee Discipline are the purview of Human Resources, and the CIO should own the Information Security Policy.

About the author
Tom Peltier has been an information security professional for more than twenty-five years. He has written books on information security policies and contributed to several books on CISSP preparation, and computer and data security.

This was first published in March 2004

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.