Mar 02 2012

What makes a good Information Security Policy?

Category: Security policyDISC @ 12:50 pm

Good policies should have five distinct attributes to become a successful and reasonably accepatable organization wide.

Specific: A policy must address a specific issue or objective clearly and thoroughly.

Measureable: To be effective, policy must have some condition of measuring adherence to the control. If people are not adhereing to policy then we may need better controls or perhaps better training program.

Achievable: To follow the policy, employee must have enough resources, tools and training to make policy objectives achieveable

Realistic: How realisticcally can we expect the policy will be followed and employee will be able to achieve his/her business objectives without any issues. This is where there is a need to balance security and availability. The question we need to ask how much should we Lock it Down or Free it Up?

Time Based: Specify when policy takes effect, when review will occurs and when conformance become required

To remember these five attributes here is an acronym “SMART”

Writing Information Security Policies

One Response to “What makes a good Information Security Policy?”

Leave a Reply

You must be logged in to post a comment. Login now.