Policy formation 101

There is no tomorrow when writing a security policy. Sathya Mithra Ashok finds out what makes for an effective policy document, and how companies can go about putting together a comprehensive statement of intent.

  • E-Mail
By  Sathya Mithra Ashok Published  October 13, 2008

Lakshmanan adds, "If you do not update the policy according to the new development or the new technology change or the new kind of trends that are emerging, the policy can prove to be inefficient in the long term."

Experts recommend reviewing the policy for changes, at least twice a year for large organisations. Moreover, if there are any changes in the technology used, or in the business objectives of the organisation, it is essential to re-visit the policy and change it as appropriate.

The final call

Writing the initial security policy calls for a lot from an organisation in terms of resources, man-hours and senior management effort.

However, organisations in the Middle East, cannot afford not to have a written policy, which they can enforce enterprise-wide to not only improve current security levels, but also guide them in their future security investments.

As Lakshmanan puts it, "Not having a security policy is the biggest mistake of all. Organisations believe that implied policy is all that is necessary, and if this is communicated intermittently to employees, then they will behave likewise and data breaches will be minimised, without the need for a formal, written policy. This is not true. A well-written security policy is a basic necessity, and organisations will need to do it."

Tips to writing a better security policy

1. External help - if you do not possess adequate IT skills inhouse, call in an external consultant to help you with forming the policy.

2. Identify and locate assets - an organisation needs to have a very clear idea of the kind and amount of assets it has in its network, including physical equipment as well as the data stored in them. Evaluate how much this loss would cost the organisation.

3. Assess your risk - you will need to analyse and categorise the various threats that are likely to affect these assets. You will also need to have an idea of the likelihood of threats, and the resultant damage.

4. Access privileges - irrespective of whether it is senior management or not, adopt a strict ‘need to know' policy when granting access privileges. Remember that the more passwords you allow, the more the likelihood of a breach.

5. Perform site survey - move yours assets around to safer areas, relocate them so that they are more secure. Look at everything from wiring routes, cables to entry and exit points of these assets.

6. Classify data - structure your information based on how important it is to you as an organisation and identify which groups of employees have access to these.

7. Have a DR plan - incidence response and an escalation plan, if not a proper disaster recover plan, should be part of any security policy. Plan to have that in place from the beginning.

8. Appoint a team for policy enforcement - make someone responsible for ensuring that the policy is enforced across the organisation. Also conduct regular team meetings to establish innovative ways to spread the policy among your employee base.

9. Review response to procedural changes - know for sure whether your employees will be able to adhere to procedural tasks such as keeping their passwords to themselves and locking their drawers before leaving for the night.

10. Update your policy regularly - be ready to make changes to your policy at periodic intervals, as the threat landscape changes and as your internal systems and personnel get transferred or changed.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code