Policy Development
This hierarchy of instructions allows different levels of the organization to shape the security practice. In setting the rules for the expected behavior, the organization can require individuals to account for performance. A formal informational hierarchy communicates to a broad range of stakeholders the importance of information security practice to the organization.
Critical to the enforcement of organizational expectations are clarity and simplicity. If the policy or procedure is too detailed or complex, it is less likely to be followed. If it is too laden with jargon or inside terminology, it will be difficult for new people to understand and comply. Similarly, the instructional documents should be readily available and consistent in format and structure.
In enforcing the organization’s expectations, consideration should be given to exceptional circumstances, particularly those where compliance in one area will result in noncompliance in another. Some method of resolving internal conflicts and approving variance to the organization’s usual expectations must be addressed within the documentation.
Related Product : Certified Information System Security Professional | CISSP
Policy Review Process
Regular review of policies provides a way to ensure that the policy continues to meet the organizational objectives and compliance requirements. It is important to define your development and review process for your suite of policies. A well-structured policy review process should provide for the following:
- Develop methods to capture new policy requirements based on new technologies or new business models. The impact of new systems on an organization’s policies should be reviewed as part of the systems development lifecycle.
- Set a regular schedule for the review of every policy. Even if the policy is not changed, the review itself demonstrates due care by the management. Reviews are often aligned with other organizational processes, such as annual audits.
- Set a protocol for gaining input from all stakeholders when reviewing policies. Structured input ensures that stakeholders’ concerns are documented and addressed.
- Define your conditions for policy change and adhere to them. Policies should be more enduring than the management documents, which would be expected to change more frequently.
- Have a waiver or exception process. A formal process to request, evaluate, and, where appropriate, waive policies allows unique circumstances to be addressed by the organization. As the policies themselves are an expression of an organization’s risk, a formal waiver ensures that the risk accepted by the waiver is within the organization’s risk tolerance.
- Assign explicit ownership for the policy. This provides a measure of accountability to ensure the policy is properly managed and reviewed.
Information security policies are one of the strongest preventative tools against cyberattacks. They define appropriate permissible behavior among all parties who access data in your enterprise. When properly crafted and maintained, well-structured policies and related documents set expectations for organizational behavior, direct work in a consistent manner, and are a critical area of control for the organization.
Follow Us
https://www.facebook.com/INF0SAVVY
https://www.linkedin.com/company/14639279/admin/
