One of the most difficult duties the majority of information security professionals face is the development, implementation and enforcement of information security policies. While many organizations accept the fact that
Until recently, many information security professionals, although recognizing security polices were important, were willing to accept that policies were a low priority for the organization. With the change in the legislative climate (the passing of SOX, GLBA and HIPAA), organizations can no longer afford to relegate information security policies to the back burner. Information security professionals must therefore spur the organization into action. Let's look at several ways you can enlist help from inside and outside your organization.
Get executive management involved
Nothing gets a project moving faster than the CEO or CFO's buy-in. The key to obtaining their support is to help them understand the importance of security policies and policy enforcement. Policies provide boundaries for employee behavior, guidance on how the IT organization configures the infrastructure to protect the organization's assets, guidance on how the organization should safeguard mission-critical data and how the organization will react in the event of a security incident or disaster. Not only must executive management agree to support the policy initiative, they must also be willing to adhere to the policies themselves. When executive management abides by the rules, other employees will follow. Remind executive management that the current legislative environment is holding them responsible for corporate misdeeds and that a great way to prevent these misdeeds is by having strong policies that are consistently enforced.
Get the Board of Directors involved
Corporate Boards are now being held accountable for not providing adequate corporate governance and oversight, particularly when it comes to SOX. As with executive management, education is the key to getting the support of the Board. You should provide the Board with regular updates on security policy initiatives and enforcement, and regulatory developments.
Get your auditors involved
Talk to the organization's external auditors and seek their guidance with security policy development. Policies and procedures are one important component of an IT audit. Auditors like to see strong, well written, well understood and enforceable policies. Auditors can be a great resource and their advice is often taken more seriously by management. A word from the auditors might get a project started six months earlier! Auditors may also be able to provide you with a list of resources and contacts, and act as a sounding board. It is better to obtain and implement auditors' input before an actual audit, since an unfavorable audit could have an adverse effect on year-end reporting. Remember to "keep your friends close and your enemies closer."
Get the organization involved
Create a steering committee of people from around the organization to help with security policies. The committee should consist of representatives from information technology, human resources, executive management, finance, internal audit and risk. To be most effective, recruit members who have decision-making roles in the organization. If you have buy-in from executive management, committee membership will not be optional! The committee should meet regularly to discuss policies and policy enforcement. Instead of dictating the policies, involve the committee in the whole process, creating and implementing the policies from the beginning. Once the committee members understand the need for policies, they can be your biggest proponents, advocating on your behalf throughout the organization.
Utilize existing policy resources from reputable sources
Many security organizations have Web sites with excellent security policy resources. For example, SANS (www.sans.org) devotes a section of its Web site to policy-related issues and has sample templates. Many colleges and universities also post their security policies, which can be used for inspiration.
Talk to business peers
Remember that your organization is not the only one that has to create and implement security policies. Contact business peers, trade associations, or regional and national information security organizations. Get a dialog going and discuss what works, what doesn't work and what fails miserably. Don't be afraid to share.
Make sure all employees are trained on the security policies that pertain to their role in the organization. A policy that no one knows about cannot be enforced. Use appropriate training methods and materials for different departments within the organization. For example, the information technology group will need to know specific technical details about hardware policies like router configuration, whereas general office staff should be briefed on how often they are required to change passwords, the importance of locking their workstations, etc. Training should not be limited to the individual policies alone, however. Why are the policies important? How will the policies affect, and perhaps even benefit, the employees and the organization? Showing employees what they need to do and how they can make an impact on the security of the organization can help motivate them to abide by the policies and assist in policy enforcement.
Will following these tips help you achieve immediate, full buy-in for information security policies and procedures from all parties in an organization? Probably not. Following these tips will help ensure that you have a solid plan for implementing information security policies that achieves organization-wide approval and support. Utilizing these tips, it may be possible to draft an entire army to assist in the development, deployment and enforcement of information security policies within the organization.
About the author
Harris Weisman is information systems security manager at Chemung Canal Trust Company, a regional bank with 15 branches in upstate New York. He previously worked as a security consultant at several large accounting/consulting firms.
This was first published in June 2006