Policy formation 101

There is no tomorrow when writing a security policy. Sathya Mithra Ashok finds out what makes for an effective policy document, and how companies can go about putting together a comprehensive statement of intent.

Security policies are where companies start when they want to plan right for their security investments in technology. Or rather where they should start before making investments.

"From the security point of view, having a policy in place is one of the most over-looked elements. More than 98% of companies in the region do not have a security policy. Even when they do have a policy, it is almost always copied from a book. As a result, they are not designed in line with a company's core requirements," says Faisal Khan, senior security consultant at McAfee Middle East.

But as with almost everything connected to technology in the Middle East, there is always a counter-opinion.

"Surprisingly, I have seen a tremendous improvement in at least the larger organisations, that is ones with 500 or more employees. We always see that they have a security team in place, they have a security framework, if not a comprehensive policy, that they adhere to. These larger organisations that we have been working with, they take a very serious view of security, because they know that somewhere in their history, at some point or the other, they have been at the wrong end of ignoring such policies," states Guru Prasad, general manager for networking at FVC.

A formal document stipulating security rules is essential in any organisation, not only to educate employees on the range of external threats and how to protect themselves against them, but to also inform them in order to prevent the possibility of inadvertent data losses from within the organisation.

Many enterprises in the Middle East, especially if they are below the 500 personnel mark, still lack in a comprehensive security policy or even a framework to work within. A lot of these organisations, however, in the light of their increasingly global interactions, are working towards putting in place their very first policies. And a majority of them are discovering that this is not as easy as could be hoped for.

At ground zero

The secret to an effective security policy begins at home and the first place to start when an organisation wants to put down a policy framework in writing, is right at the top.

"The first place that any organisation should start at is to get the initial and sustained executive buy-in, from the CEO right down to the key corporate stakeholders in the company. This is absolutely the first place to start. I have been part of a fair number of policy writings in my time and I have seen that most policies fail if they do not have executive buy-in," states Prasad.

Once you have got the management in the loop, the next step would involve setting down  the company's main objectives.

"A security policy should always be designed keeping in mind what the company's business is and what its larger objectives are. A bank will or should have a totally different security policy, and a comparatively rigid one, while a run of the mill large enterprise  will have a security policy that is slightly lenient. Essentially and ideally, the security policy will have to differ from organisation to organisation," says Khan.