Veronica Mun |
Veronica Mun graduated from the University of Washington where she
majored in Communication and Psychology. She is currently a member of
the marketing team at Essential Security Software, an emerging email anti-theft software company based in Bellevue, WA. |
Veronica Mun
has written 4 articles for SB Informer. |
View all articles by Veronica Mun... |
3 Steps to Planning a Security PolicyHow to plan a successful security policy Veronica Mun
July 24, 2007
|
|
| 3.0/5.0 (2 votes total) |
|
|
It is common for many companies to notice a security problem and then
immediately look for technology solutions to plug up the hole. In the
end, companies wonder why they have an abundance of solutions that do
not efficiently secure company assets. This is where planning becomes a
necessity.
The Importance of Planning
Planning your security policy requires a close analysis of employee
behavior in different job roles and is also the time for company
security goals to be articulated. Having problems and goals evaluated
simultaneously makes it easier to come up with all-encompassing
solutions that will be effective and advantageous for all. A good rule
of thumb when planning a security policy is to base the policy around
risks rather than technology. A policy should not change as the
technology changes.(1)
The Planning Stage helps to address this, by focusing on
employee behavior. This is crucial because, changes in policy often
start with changes in procedure. "Organizations need to understand that
much of information security and privacy work that needs to be done are
people-based [regarding] policies, procedures, training, awareness
[and] response activities."(2)
Planning Your Security Policy There are three factors to keep
in mind when planning your policy. The first requires you to express
the goals of your policy. What are you trying to accomplish? What are
you trying to protect? The second step requires you to scan the work
environment and identify vulnerabilities that exist within current
processes. The final step asks you to create a plan of action that will
help alleviate the flaws. All are equal contributors to planning
success.
Step 1: Setting Goals for Your Security Policy Your security
policy goals should run parallel with the goals set for your company.
For example, if your company is customer oriented, then a goal of your
security policy should be to protect your customer and their data
through use of encryption and network security.
Furthermore, all parties should play a role in goal setting. This is
crucial because if a security breach was to occur, each department
plays a different role in the recovery process, as well as in
re-evaluating procedures for policy improvement. Global involvement
allows each department time to invest in the policy, ensuring a higher
level of cooperation when the time comes to implement the policy.
Step 2: Identifying Security Vulnerabilities A company must
examine existing procedures and identify all processes that pose a
security risk. For example, policies regarding data management; how
data is protected during storage, how long it is kept and proper
methods for data deletion are common pains in the corporate world. Some
questions that may help identify such vulnerability include:
What types of sensitive information does your company handle?
Which department handles each piece of sensitive information?
Is sensitive information stored with non-sensitive information?
Such questions should spur some thought as to what changes need to
be made in order to begin alleviating the risks that accompany current
processes within departments.
Step 3: Creating a Plan of Action After identifying which
processes require change, create a plan of action for mitigating these
risks. Each plan should consider how long it will take for the each
change to occur, what type of training is necessary for each
individual/department to meet the newly adopted standards and also what
responsibilities each individual/department can be held accountable for
(i.e. how often are gap analyses(3) regarding security conducted and
who conducts them?)
Other challenges include budget limitations and optimizing
upon security measures while still adhering to auditing standards. Such
measures “should be traceable from one document to another so that
audits can easily verify that policies are being enforced.”(4) If
technology solutions are an option, comparing different products may be
helpful.
After procedures have been established, decision makers should
be able to identify “which personnel roles are responsible for which
activities, which activities need to be logged, [and] how often
inspections and reviews are done internally.”(5) They should also have
followed up with a procedure for making additional changes to the
policy in the future.
Security Policies to the Rescue
Security policies are a necessary element to prevent your business from
facing disaster. “Information security and privacy cannot be a
band-aid-add-on after a product or system has been launched; it must be
incorporated into the mindset of all personnel,”(6) with ample time and
training provided to ensure internalization.
Now that you have your security policy planned out, it’s time
for policy implementation. But before you try putting your security
policy into action, read Implementing Your Security Policy to get some implementation tips.
End Notes:
1) Wright, Scott. I’m Sorry Sir, But That’s Our (Security) Policy.
Security Views. 20 Feb. 2007.
2) Herold, Rebecca. “Addressing Privacy: There Will Never Be a
Technology-Only Solution Because of the Human Factors Involved.”
Realtime IT Compliance. 29 April 2007
3) A gap analysis compares actual performance to potential performance.
4) Wright, Scott. I’m Sorry Sir, But That’s Our (Security)
Policy. Security Views. 20 Feb. 2007.
5) Ibid.
6) Herold, Rebecca. “Addressing Privacy: There Will Never Be a
Technology-Only Solution Because of the Human Factors Involved.”
Realtime IT Compliance. 29 April 2007
|