Article

Veronica Mun
Veronica Mun graduated from the University of Washington where she majored in Communication and Psychology. She is currently a member of the marketing team at Essential Security Software, an emerging email anti-theft software company based in Bellevue, WA.
Veronica Mun has written 4 articles for SB Informer.
View all articles by Veronica Mun...

Tips to Implementing Your Security Policy

How to successfully implement your security policy

Veronica Mun

July 30, 2007


1.0/5.0 (1 votes total)
Rate:

Implementing a security policy is often viewed as a one-week, one-man project. Decision makers do not view security policies as ongoing projects, such as developing software or maintaining a website. Nor do they feel anybody outside of IT need to be involved. But surprisingly, like many other projects, security policies also evolve and are full of bugs that need fixing. Time is the only factor that allows for such improvements, but time is all too often overlooked.

Common Pitfalls of Policy Enforcement
Companies will be successful in strategically planning out their security policy, but will run into problems when it comes time to enforce it. This can stem from a poorly executed policy in which policy makers did not anticipate the amount of time it would take to properly plan, educate, and train employees.

Just like a company should attempt to motivate all their employees on a new idea or vision, a security policy should be executed in the same manner. People need time to buy into it or else it is bound to fall apart. The most common pitfall in enforcing a security policy is the lack of executives continuously practicing the new policies themselves. A security policy needs to unfold in a top-down direction in order to be effective.

Another common pitfall of enforcing a security policy is the lack of consideration for the employees. Too many decision makers feel that if a new policy is put into place that all employees should fall in line without any complaints. But employees will feel more appreciated and be more willing to comply if their efforts to change are actually recognized and rewarded. Your company may want to consider planning an incentive program to go along with your security policy. If not, at least make it as easy for the users as possible to adopt the new policies.

Structuring Your Policy Roll-Out
During the planning stages of the policy, security risks within procedures were identified, as well as a plan for how these risks will be handled. The improvements that need to be made should be listed in order of importance.

Ths list(1) shown below can be utilized as a cheat sheet to help categorize the procedures into different implementation groups. Each change should be categorized as having high or low user impact (UI), and having high or low security impact (SI).

For example, say you want your IT administrator to change the default passwords every month, as part of your new security policy. That would not impact the average user much, but it would be a high security benefit. Therefore, it would be placed in the first group.

1) LOW UI, HIGH SI - Has minimal user impact so changes can be easy and immediate. (Ex: Changing default passwords every month) 2) HIGH UI, HIGH SI - Requires education and training with a high impact on security. (Ex: Deployment of new security software such as encryption) 3) HIGH UI, LOW SI - Requires education and training with only a low impact on security. (Ex: Holding meetings to educate users about new security policies) 4) LOW UI, LOW SI - Can be deferred until after completion of other solutions. (Ex: Moving one security solution that works in one dept. to another dept.)

(Go here to view this list as a matrix)

Prioritizing Your Policy Changes
The quadrants are numbered to specify which changes should be implemented first. Keep in mind that although activities in quadrants 2 and 3 require more time for a learning curve, the education and training can take place at the same time that changes in quadrant 1 are being made. Changes placed in quadrant 4 are not as urgent and do not provide much improvement to existing security and therefore are usually deferred to a later time.(2)

The Move toward Policy
Now is the time for companies to start taking security seriously. Whether it’s an insider who steals customer records from Fidelity National Information Services or a hacker who breaches the information network of Ohio State University, stricter policies will help to prevent such incidents, both intentional and accidental.

Resources and tools have become more readily available than ever before, so the process does not need to be performed alone. There are companies out there who can meet your needs once you’ve identified them. If the tips provided in this article are applied in the planning process of your company’s security policy, it should lead you on your way to creating a more safe and secure environment for your employees and your customers.


End Notes:

1) “You’ve Got a Security Policy. Now What?” Implement & Integrate. 3 Jan. 2007: 4.

2) Ibid.


                   



Add comment Add comment (Comments: 0)  

Advertisement

Partners

Related Resources

Other Resources