A Greater Town : US : NY : New York : Computers & Electronics : Informational Technology — Information Technology

Information Security Policies: Useless Without Enforcement

Information Technology

Updated on Mar 26, 2013

Edit post | View more like this | Visit New York, NY | Contact Cyber Data Risk Managers
Information Security Policies: Useless Without Enforcement
by Christine Marciano, President, Cyber Data Risk Managers

Organizations often put a lot of money and energy into the creation of a security policy. However, many organizations tend to miss the mark after their policy is created due to lack of policy enforcement. Without enforcement, the best information security policy is ineffective. Having, but not enforcing, policies is just as bad as never having them in the first place.

Effective security policies form the foundation of an organization's entire approach to security, whether it's endpoints, end-user devices, application software, new servers, or some other element of the network. Security policies are a living, breathing component of any successful organization and should mirror an organization's culture and be in harmony with its business practices.

When organizations create their security polices, compliance is usually foremost in their minds. Often, an organization fails to do a risk assessment prior to crafting their policy. This results in a security policy that looks good on paper but is not realistic in the real world and is not enforceable. Prior to creating a security policy, organizations need to consider why they need their policy and what they are trying to achieve with it so that the end result is an enforceable security policy that can proactively defend against escalating security threats.

A successful security policy should be structured around three major components: people, process, and technology. Organizations should think about implementing and enforcing their security policy in a holistic way. By taking a holistic approach while in the security policy creation process, an organization can minimize security policy enforcement challenges.

Organizations need to keep in mind that a security policy is not a product, it is a process. With security threats inundating IT administrators and government regulations forcing compliance, organizations can streamline their security efforts by creating and enforcing strong security policies.

A security policy that languishes unattended or enforced can put an organization in danger. Failure to enforce can cost an organization on a number of levels. Leaks of personal identifiable information (PII) can result in regulatory breaches and fines, as well as damage to reputation and an organization's brand. It can also leave an organization's most valuable asset, its intellectual property, exposed if security policies are not strictly enforced.

An endpoint security policy serves as the foundation. This is why it's important that organizations implement a security policy that is understandable, realistic, consistent, and enforceable. A successfully enforceable security policy is one that is implemented, monitored, flexible, and reviewed.

After an organization invests time and effort in developing a strong security policy, it needs to make sure that management is on board. Having management on board and following the security policy helps security policy enforcement.

After a security policy is created, it needs to be implemented and employees need to receive training so that they understand and follow the policy. Organizations need to explain to their employees the need for the policy and specify what the policy is trying to accomplish so that employees are on board.

Security policies need to be monitored to make sure they are being followed. An acknowledgement statement should be given to employees that specifies the employee has received a copy of the policies, that they have read the policies, and that they agree to abide by the policies. Copies of the signed acknowledgement forms should be retained in employee files so that it can be retrieved if needed.

Changes happen daily, and a security policy needs to be flexible on what it covers.

A successful security policy needs to be reviewed. To ensure that policies do not become obsolete, organizations should implement a regular review process. For instance, Bring Your Own Device (BYOD) is being adopted in many organizations today, and if an organization does not have wireless communications in their existing security policy, policies need to be updated. Depending on how often an organization changes its business relationships or if it is in a merger or acquisition mode, it may require a constant review of its security policies.

*Article originally appeared in http://www.point2security.com (5/1/12)


Christine Marciano
US toll free: 1 +855.CUT.RISK
Fax: 1 +732.709.1684
Twitter: @DataPrivacyRisk

goodideazs, LLC is not affiliated with the authors of this post nor is it responsible for its content, the accuracy and authenticity of which should be independently verified.

About | Advertise | Terms | Privacy | Contact A Greater Town

Top Business Listings | Banner Art Gallery | Blog | Seo Site Crawler

Copyright © 2007-2019 goodideazs, LLC. All rights reserved.