Writing Information Security Policies
Policy defines law of an organization what is acceptable and less risky way of doing business. Having a law in-place is one thing (a good start for an organization) but how you enforce or change policies over time is a key to successful policy implementation.
To control your environment context is everything, what you want to allow as well as actions that you will take to safeguard your environment to enforce suitable policies. The policies will determine who can access your infrastructure under what circumstances and what conditions and especially what actions needed to be taken when users or devices are in non-compliance.
Over the passage of time you need to re-access policies to determine what new policies need to be added and which one need to be edited or discarded based on current business needs. Policy control should be transparent to user and balance need to be maintained between usability and security. During maintaining this balance policy is more of an art than science. If security control cost more than the benefit attain from business activity, at that point we might need to readdress, how much we want to control the environment which is acceptable to current business needs and does not thwart business activity.
Regularly reassessing policies, education users and enforce current policies to help limit your organization liability. Make sure your practice matches your policies; you may be creating a liability that you believe you have protected yourself against.
You got to try out your new policies to see how well they work in your environment. In this regard you might want to issue policy position statement to receive open feedback from user community before adding into to your company policy. By re-assessing policies on regular basis, and issuing policy statement before enforcing a policy, you can achieve better control over your environment by understanding your user’s requirements and business needs. Deming PDCA (Plan-Do-Check-Act) model apply to the process of building policy, you build this process to perfection over time.
Related articles by Zemanta
- Managing Risks and NIST 800-53 (deurainfosec.com)
- The Deming Cycle: an application to web design (woork.blogspot.com)
- Simple Quality Improvement Techniques For South Carolina Businesses And Organizations (slideshare.net)
- Audit of security control and scoping (deurainfosec.com)
- Do people resist change? (change-management-blog.com)
December 11th, 2009 12:01 pm
actually when policies suites with the organization, then it grows automatically
not necessary that every time it have to revise
October 26th, 2010 2:37 pm
Every organization bigger or small must have some policy with which they will work out. These policies will have a great impact on the course of the organization. These policies may be changed with the passes of time.
January 21st, 2011 6:16 am
Policy making is a vital task for the organisation. The success of an organization will greatly depends on effective policy making. And implementing those policy and keeping the control is also very difficult task.
January 21st, 2011 6:19 am
So many organization have failed due to defective policy. Policy making is crucial for an organization. Controlling is also an important task.