30
Apr
2009
Building and Deploying Effective Security Policies
By IPSECS Admin. Posted in Management | Comments OffDefining Effective Security Policies
First, we must define what we mean when we say policies are “effective.†One way to build this definition is by looking at the ways organizations feel their policies are not effective. For this discussion, we use the following criteria:
1. Effective policies adequately define the high-level security goals of the company to reduce operational risk.
2. Effective policies adequately protect an organization against legal action for possible violations.
3. Effective policies are read and understood by all employees and contractors in various roles within the organization.
Criteria #1 is based on the need for policies to be complete. An organization’s policies must adequately cover the topics of an effective security program, including compliance with regulations.
Criteria #2 reflects the organization’s fear of damaging lawsuits, including possible violation of legislation. In fact, these fears are justified. Recent court cases are establishing precedents that would in fact hold most organizations liable.
Criteria #3 reflects most organizations highest concern when it comes to security. In fact, these three criteria are intricately related, and it is virtually impossible to adequately satisfy one without the other two.
Read more »