Writing Effective Information Security Policies
Fortunately, resources exist to assist chief information security officers in formulating effective policy, such as Information Security Governance: Guidance for Boards of Directors and Executive Management, 2nd Edition, published in 2006 by the IT Governance Institute and available for free download at www.itgi.org.
The guidance includes actions that boards and executive management can take to ensure effective information security governance. It includes five positive outcomes of a successful information security program: information security is aligned with business strategy to support the business; risks are managed to reduce impacts on information; resources are managed by using information security knowledge and infrastructure effectively and efficiently; information security governance metrics are used to measure, monitor and report progress; information security investments deliver value to the business.
Information security policy is the focal point for establishing and conveying security requirements. It sets the tone for the information security practices within an organization, defining appropriate behavior and setting the stage for the security program. A consistently applied policy development framework exists that guides formulation, rollout, understanding and compliance.
Senior management is responsible for establishing and enforcing a formal, written information security policy including standards, procedures, guidelines and rules of use.
A good policy document includes the overall importance of security within the organization, identifies what is being protected, identifies key risks and mechanisms for dealing with those risks and provides for ongoing and regular monitoring and feedback to ensure the polices are enacted and enforced. Regular updates are needed to reflect changing business needs and practices. The policy enumerates the roles and responsibilities of all information systems users for protecting the confidentiality, availability and integrity of information assets. It must set out managementâ€™s objectives and expectations for information security in clear, unambiguous terms, along with the implications of noncompliance. Its existence also demonstrates managementâ€™s commitment to information security. To ensure ongoing applicability and relevance, the policy statement needs to be reviewed and updated on an annual basis. Failure to update may demonstrate a lack of management commitment to information security, or the general lack of processes to manage organizational governance.
The policy clearly states overall objectives and requirements for information security, scope (organization units, information assets), roles and responsibilities for each relevant party (e.g., asset owners, users, trustees), and any possible conditions for exceptions. The information security policy framework serves to support more extensive statements of information security standards, practices and procedures.
Rather than viewing information security policy as a single document, it will help to view the policy as a three-part suiteâ€”the policy document, the standards document, and the procedures document, writes Mark Ungerman, director of product management at Symantec Corp., in a white paper.
The information security policy document details why a corporation needs a policy in the first place. The standards document outlines what will be done to ensure security of information and assets. Finally, the procedures document becomes the how-to portion, showing the methodology in achieving the set standards.
The information security policy itself provides a brief overview of the organizationâ€™s philosophy regarding security, writes Ungerman. Usually only around two pages long, the policy is the shortest of the three documents, but it is critically important in setting the stage for the other two documents. â€œThe framework for the entire suite of documents rests in the policyâ€™s ability to define to whom and what the policy applies, provide a general description, illustrate the need for adherence, and detail the consequences for nonadherence,â€ says Ungerman.
The information security policy also details the consequences of noncompliance in regards to government regulations and standards. Once complete, the information security policy should be reviewed, approved, and signed by the most senior manager in the organization.
The information security standards document considers what needs to be done to implement security measures. This document covers the physical, administrative, and technical controls designed to secure information assets. It is important that in detailing security controls, end-user productivity is considered. Controls should be designed to maximize both information protection and employee efficiency. Much like the policy document, the information security standards document will unlikely be altered. Only the introduction of new systems, applications, or regulations would require amendments to this document.
The final piece of the security suiteâ€”the information security procedures documentâ€” takes the controls outlined in the standards document and shows how each control will be implemented and managed. Since the implementation of any of these items may require several procedures and tasks, each of these steps must be approached and listed. Since the business environment is continually changing, this document will similarly undergo frequent changes to match the corporationâ€™s security needs.