Good policies should have five distinct attributes to become a successful and reasonably accepatable organization wide.
Specific: A policy must address a specific issue or objective clearly and thoroughly.
Measureable: To be effective, policy must have some condition of measuring adherence to the control. If people are not adhereing to policy then we may need better controls or perhaps better training program.
Achievable: To follow the policy, employee must have enough resources, tools and training to make policy objectives achieveable
Realistic: How realisticcally can we expect the policy will be followed and employee will be able to achieve his/her business objectives without any issues. This is where there is a need to balance security and availability. The question we need to ask how much should we Lock it Down or Free it Up?
Time Based: Specify when policy takes effect, when review will occurs and when conformance become required
To remember these five attributes here is an acronym “SMART”
Writing Information Security Policies
July 11th, 2012 5:30 am
[…] What makes a good Information Security Policy? (deurainfosec.com) […]