Skip to main content

Characteristics of a Successful Information Security Policy

The role of policy is to codify guiding principles, shape behavior, provide guidance for decision makers, and serve as an implementation roadmap. An information security policy is a directive that defines how an organization is going to protect its information assets and information systems, ensure compliance with legal and regulatory requirements, and maintain an environment that supports the guiding principles. 
The objective of an information security policy and corresponding program is to:
1.    Protect the organization, its employees, its customers, and also vendors and partners from harm resulting from intentional or accidental damage, misuse, or disclosure of information;
2.    Protect the integrity of the information; and
3.    Ensure the availability of information systems.
Successful information security policies establish what must be done and why it must be done, but not how to do it. Good policy has the following seven characteristics:
1.    Endorsed – The policy has the support of management.
2.    Relevant - The policy is applicable to the organization.
3.    Realistic – The policy makes sense.
4.    Attainable – The policy can be successfully implemented.
5.    Adaptable – The policy can accommodate change.
6.    Enforceable – The policy is statutory.
7.    Inclusive – The policy scope includes all relevant parties.
Taken together, the characteristics can be thought of as a policy pie, with each slice being equally important.

Endorsed

We have all heard the saying “Actions speak louder than words.” In order for an information security policy to be successful, leadership must not only believe in the policy, they must also act accordingly by demonstrating an active commitment to the policy by serving as role models. This requires visible participation and action, ongoing communication and championing, investment, and prioritization. 
Nothing will doom a policy quicker than having management ignore, or worse, disobey or circumvent it. Conversely, visible leadership and encouragement are two of the strongest motivators known to human kind. 

Relevant

Strategically, the information security policy must support the guiding principles and goals of the organization. Tactically, it must be relevant to those who must comply. Introducing a policy to a group of people who find nothing recognizable in relation to their everyday experience is a recipe for disaster.
Policy writing is a thoughtful process that must take into account the environment. If policies are not relevant, they will be ignored or worse, dismissed as unnecessary and management will be perceived as being out of touch.

Realistic

Think back to your childhood to a time you were forced to follow a rule you did not think made any sense. The most famous defense most of us were given by our parents in response to our protest was “Because I said so!” We can remember how frustrated we became whenever we heard that statement, and how it seemed unjust. We may also remember our desire to deliberately disobey our parents – to rebel against this perceived tyranny. In very much the same way, policies will be rejected if they are not realistic. Policies must reflect the reality of the environment in which they will be implemented.
If you engage constituents in policy development, acknowledge challenges, provide appropriate training, and consistently enforce policies, employees will be more likely to accept and follow the policies.

Attainable

Information security policies and procedures should only require what is possible. If we assume that the objective of a policy is to advance the organization’s guiding principles, one can also assume that a positive outcome is desired. A policy should never set up constituents for failure; rather, it should provide a clear path for success.
It is important to seek advice and input from key people in every job role in which the policies apply. If unattainable outcomes are expected, people will fail. This will have a profound effect on morale and will ultimately affect productivity. Know what is possible.

Adaptable

In order to thrive and grow, businesses must be open to changes in the market and willing to take measured risks. A static set-in-stone information security policy is detrimental to innovation. Innovators are hesitant to talk with security, compliance, or risk departments for fear that their ideas will immediately be discounted as contrary to policy or regulatory requirement. “Going around” security is understood as the way to get things done. The unfortunate result is the introduction of products or services that may put the organization at risk.
An adaptable information security policy recognizes that information security is not a static, point-in-time endeavor, but rather an ongoing process designed to support the organizational mission. The information security program should be designed in such a way that participants are encourage to challenge conventional wisdom, reassess the current policy requirements, and explore new options without losing sight of the fundamental objective. Organizations that are committed to secure products and services often discover it to be a sales enabler and competitive differentiator.
Enforceable
Enforceable means that administrative, physical, or technical controls can be put in place to support the policy, that compliance can be measured and, if necessary, appropriate sanctions applied.
If a rule is broken and there is no consequence, then the rule is in effect meaningless. However, there must be a fair way to determine if a policy is violated, which includes evaluating the organization support of the policy. Sanctions should be clearly defined and commensurate with the associated risk. A clear and consistent process should be in place so that all similar violations are treated in the same manner.
Inclusive
It is important to include external parties in our policy thought process. It used to be that organizations only had to be concerned about information and systems housed within their walls. That is no longer the case. Data (and the systems that store, transmit, and process it) are now widely and globally distributed. Organizations that choose to put information in or use systems in “the cloud” may face the additional challenge of having to assess and evaluate vendor controls across distrusted systems in multiple locations. The reach of the Internet has facilitated worldwide commerce, which means that policies may have to consider an international audience of customers, business partners, and employees. The trend toward outsourcing and subcontracting requires that policies be designed in such a way to incorporate third parties. Information security policies must also consider external threats such as unauthorized access, vulnerability exploits, intellectual property theft, denial of service attacks, and hacktivism done in the name of cybercrime, terrorism, and warfare.
An information security policy must take into account organization objectives; international law; the cultural norms of its employees, business partners, suppliers, and customers; environmental impacts and global cyber threats. The hallmark of a great information security policy is that it positively affects the organization, its shareholders, employees, and customers, as well as the global community.

Comments

Post a Comment

Popular posts from this blog

Understanding the Evolution: AI, ML, Deep Learning, and Gen AI

In the ever-evolving landscape of artificial intelligence (AI) and machine learning (ML), one of the most intriguing advancements is the emergence of General AI (Gen AI). To grasp its significance, it's essential to first distinguish between these interconnected but distinct technologies. AI, ML, and Deep Learning: The Building Blocks Artificial Intelligence refers to the simulation of human intelligence in machines that are programmed to think like humans and mimic their actions. Machine Learning, a subset of AI, empowers machines to learn from data and improve over time without explicit programming. Deep Learning, a specialized subset of ML, involves neural networks with many layers (hence "deep"), capable of learning intricate patterns from vast amounts of data. Enter General AI (Gen AI): Unraveling the Next Frontier Unlike traditional AI systems that excel in specific tasks (narrow AI), General AI aims to replicate human cognitive abilities across various domains. I...
Post a Comment
Read more

Normalization of Database

Database Normalisation is a technique of organizing the data in the database. Normalization is a systematic approach of decomposing tables to eliminate data redundancy and undesirable characteristics like Insertion, Update and Deletion Anamolies. It is a multi-step process that puts data into tabular form by removing duplicated data from the relation tables. Normalization is used for mainly two purpose, Eliminating reduntant(useless) data. Ensuring data dependencies make sense i.e data is logically stored. Problem Without Normalization Without Normalization, it becomes difficult to handle and update the database, without facing data loss. Insertion, Updation and Deletion Anamolies are very frequent if Database is not Normalized. To understand these anomalies let us take an example of  Student  table. S_id S_Name S_Address Subject_opted 401 Adam Noida Bio 402 Alex Panipat Maths 403 Stuart Jammu Maths 404 Adam Noida Physics Updation Anamoly :  To upda...
Post a Comment
Read more

How to deal with a toxic working environment

Handling a toxic working environment can be challenging, but there are steps you can take to address the situation and improve your experience at work: Recognize the Signs : Identify the specific behaviors or situations that contribute to the toxicity in your workplace. This could include bullying, harassment, micromanagement, negativity, or lack of support from management. Maintain Boundaries : Set boundaries to protect your mental and emotional well-being. This may involve limiting interactions with toxic individuals, avoiding gossip or negative conversations, and prioritizing self-care outside of work. Seek Support : Reach out to trusted colleagues, friends, or family members for support and advice. Sharing your experiences with others can help you feel less isolated and provide perspective on the situation. Document Incidents : Keep a record of any incidents or behaviors that contribute to the toxic environment, including dates, times, and specific details. This documentation may b...
Post a Comment
Read more