Home

Guides

Starting Your Business

Now That You're Up and Running

Avoiding Common Pitfalls

Managing Risk

Article

RSS

Veronica Mun

Veronica Mun graduated from the University of Washington where she majored in Communication and Psychology. She is currently a member of the marketing team at Essential Security Software, an emerging email anti-theft software company based in Bellevue, WA.

Veronica Mun has written 4 articles for SB Informer.

View all articles by Veronica Mun...

3 Steps to Planning a Security Policy

How to plan a successful security policy

by Veronica Mun

July 24, 2007

	Visited: 153

	5.0/5.0 (1 votes total)
	Rate:

It is common for many companies to notice a security problem and then immediately look for technology solutions to plug up the hole. In the end, companies wonder why they have an abundance of solutions that do not efficiently secure company assets. This is where planning becomes a necessity.

The Importance of Planning
Planning your security policy requires a close analysis of employee behavior in different job roles and is also the time for company security goals to be articulated. Having problems and goals evaluated simultaneously makes it easier to come up with all-encompassing solutions that will be effective and advantageous for all. A good rule of thumb when planning a security policy is to base the policy around risks rather than technology. A policy should not change as the technology changes.(1)

The Planning Stage helps to address this, by focusing on employee behavior. This is crucial because, changes in policy often start with changes in procedure. "Organizations need to understand that much of information security and privacy work that needs to be done are people-based [regarding] policies, procedures, training, awareness [and] response activities."(2)

Planning Your Security Policy
There are three factors to keep in mind when planning your policy. The first requires you to express the goals of your policy. What are you trying to accomplish? What are you trying to protect? The second step requires you to scan the work environment and identify vulnerabilities that exist within current processes. The final step asks you to create a plan of action that will help alleviate the flaws. All are equal contributors to planning success.

Step 1: Setting Goals for Your Security Policy
Your security policy goals should run parallel with the goals set for your company. For example, if your company is customer oriented, then a goal of your security policy should be to protect your customer and their data through use of encryption and network security.

Furthermore, all parties should play a role in goal setting. This is crucial because if a security breach was to occur, each department plays a different role in the recovery process, as well as in re-evaluating procedures for policy improvement. Global involvement allows each department time to invest in the policy, ensuring a higher level of cooperation when the time comes to implement the policy.

Step 2: Identifying Security Vulnerabilities
A company must examine existing procedures and identify all processes that pose a security risk. For example, policies regarding data management; how data is protected during storage, how long it is kept and proper methods for data deletion are common pains in the corporate world. Some questions that may help identify such vulnerability include:

What types of sensitive information does your company handle?

Which department handles each piece of sensitive information?

Is sensitive information stored with non-sensitive information?

Such questions should spur some thought as to what changes need to be made in order to begin alleviating the risks that accompany current processes within departments.

Step 3: Creating a Plan of Action
After identifying which processes require change, create a plan of action for mitigating these risks. Each plan should consider how long it will take for the each change to occur, what type of training is necessary for each individual/department to meet the newly adopted standards and also what responsibilities each individual/department can be held accountable for (i.e. how often are gap analyses(3) regarding security conducted and who conducts them?)

Other challenges include budget limitations and optimizing upon security measures while still adhering to auditing standards. Such measures “should be traceable from one document to another so that audits can easily verify that policies are being enforced.”(4) If technology solutions are an option, comparing different products may be helpful.

After procedures have been established, decision makers should be able to identify “which personnel roles are responsible for which activities, which activities need to be logged, [and] how often inspections and reviews are done internally.”(5) They should also have followed up with a procedure for making additional changes to the policy in the future.

Security Policies to the Rescue
Security policies are a necessary element to prevent your business from facing disaster. “Information security and privacy cannot be a band-aid-add-on after a product or system has been launched; it must be incorporated into the mindset of all personnel,”(6) with ample time and training provided to ensure internalization.

Now that you have your security policy planned out, it’s time for policy implementation. But before you try putting your security policy into action, read Implementing Your Security Policy to get some implementation tips.

End Notes:

1) Wright, Scott. I’m Sorry Sir, But That’s Our (Security) Policy. Security Views. 20 Feb. 2007.

2) Herold, Rebecca. “Addressing Privacy: There Will Never Be a Technology-Only Solution Because of the Human Factors Involved.” Realtime IT Compliance. 29 April 2007

3) A gap analysis compares actual performance to potential performance.

4) Wright, Scott. I’m Sorry Sir, But That’s Our (Security) Policy. Security Views. 20 Feb. 2007.

5) Ibid.

6) Herold, Rebecca. “Addressing Privacy: There Will Never Be a Technology-Only Solution Because of the Human Factors Involved.” Realtime IT Compliance. 29 April 2007