This is a guest post by Joe Schembri. If you are interested to guest post in this blog, just head over to the Guest Post Guidelines.
An enterprise IT security policy can be an overwhelming document to manage, and IT professionals who are taking a task like this on should be fully prepared. An IT security policy should address the many different facets of an organization including the company’s mission, employees, critical assets and threats posed and how to mitigate possible threats regarding the whole organization.
Where to begin
First it is important to find out what exactly the mission of the organization is, how it plays into the organizational structure and the overall working environment. If a business-impact analysis has not been completed with a proper risk assessment, one will need to be completed to identify many of the weaknesses a company has in order to maintain the company’s goals and objectives as well as protecting their assets.
Next, investigating the critical assets need protection such as physical assets like employees, buildings, and servers as well as logical assets like data will help to address the chief components within the policy. Targeting each asset and how it will be protected can depend on the size of the business such as if the business is a Fortune 500 company or a government agency.
If working for a federal agency, policy development should include following the Federal Security Management Act that requires federal organizations to maintain an up-to-date security policy or if working for other professional organizations checking to see if there are any industry specific requirements is essential.
Creating a document that is usable is vital; therefore it is important to state in the beginning of the document what this policy covers and what it does not cover, thus making it easier to translate the articles within the document into usable procedures. Knowing the organization well and the many aspects of it will assist in creating a document that includes all parts of the business that are critical such as the employees, working environment, and the roles of the different departments.
Define the target audience
In creation of any document it is important to know who the report is written for; knowing this information makes it easier to decide on language styles and content. For example, if the CEO were the one interested in the policy, which is highly likely, then he will have an agenda that should be taken into consideration such as addressing the organizational mission. Other stakeholders could be the CIO or the CISO and they both may require a different angle or language for sections that are pertinent to them.
Keep the policy at a high-level
Keeping the tone general and broad will help to align the policy statements with the mission throughout the entire document. Getting involved with too much detail can make the policies unusable and the many procedures that are most likely going to be made and implemented through the people using this document.
Address weaknesses with policy
Keep weaknesses in mind and come up with thoughtful policies to help reduce those weaknesses while including the mission and business-impact analysis in mind. This should be exuded throughout the document so that organizational functionality can be met with effective policies.
Keep in mind that a security policy document such as this one will always be changing to address the ever changing needs of a business. Developing an enterprise IT security policy takes patience as well as collaboration from every sector of an agency and therefore it is important to create a reasonable pace. Getting out of draft mode and into implementation of even 90% of the policies will largely be a success.
About the Author: This article was submitted by Joe Schembri who has several years of security experience and participated in information security training courses. He currently writes for University Alliance about their information assurance training courses.