Does An Information Security Policy Create Corporate Implications?

Does An Information Security Policy Create Corporate Implications?
It s fairly easy to declare an information security policy such as ?information is a valuable asset and must be protected by all personnel?; but what are the implications to your company of such a policy.

For starters it means people must recognize that information is a company asset and has value, that it includes electronic and physical information as well as the spoken word, that it must be protected from unauthorized disclosure, and that no one is exempt (including the CEO and the board). This then implies people have to treat information accordingly based on its sensitivity ... therefore a need for handling guidelines. To treat it accordingly they ll have to know its sensitivity which requires that the assets be labelled ... therefore a need for a classification standard and labelling procedures (how will paper vs. a USB stick be labelled?). Will you use security levels such as public use, internal use only, confidential, and restricted? Throughout the life cycle of the information will its classification level change? If so what are the processes required to ensure this happens?

Now you have to teach all of this to everyone (the policy, standard, guideline, and procedures). What will be needed in the awareness and education packages? Who will get what level of training? ... not everyone needs the same amount of detail; what types of employees do we have; are some folks grandfathered in?

Who s going to make sure all of this is going to happen, who is responsible for ensuring the policy gets implemented; is a chief information security officer (CISO) needed? Regular audits will be required to ensure understanding of and adherence to the policy!

But hold on ... what about the criticality of the information (the integrity and availability requirements)? What we ve been talking about so far relates to the sensitivity of the information. What classification structure is required for integrity and availability levels? How will IS systems and processes meet criticality needs?

What are the proper handling methods to use, the proper systems to implement, and the proper processes to develop? ... well you re going to have to use risk management procedures consisting of: identifying categories of information used, identifying all information assets, identifying the asset owners and users, and then ensure proper protection for sensitivity and criticality by using threat risk assessments that drive the security controls.

The most important requirement is ensuring that you keep this Information Security program on track and that it meets company objectives. This means you will have to define a strategy that lays out a multi year road map to a successful conclusion. The measurement of success requires a list of objectives along with defined measurements for each objective ... objectives plus measurements equals metrics.

At the end of all this you ll be able to ensure the right people get the right information at the right time for the right reason!

Did you find this information on the implications of a security policy useful? You can learn a lot more about how our set of documents on information security can help you implement a security program by visiting our web site at MASE Consulting Ltd.


Information Security, implications, policy, standards, guidelines, metrics, risk assessment, TRA
|