Every organization is required to have an effective information security program which maps to its business drivers, regulatory requirements and threat profile. Although organizations across the globe are increasingly recognizing the importance of information security for businesses, the complexity of issues involved in formulating an appropriate information security policy greatly vary from company to company.
This may depend on multiple factors including the importance of business information, size of the company, type of operations and businesses the company involved in and the numbers and types of information and information systems they use. Developing a robust Information Security Policy is a crucial first step in the program.
While small organizations can quickly deploy information security policy to address their needs, for large organizations, developing a single policy document encompassing all users and resources and addressing the entire gamut of information security issues is a herculean task. Rather, a more effective approach would be to develop a suite of policy documents to cover all information security assets; each targeting specific audience and address relevant information security concerns. This approach would ensure easy maintainability of the policy and focus on specific requirements in terms of emerging threats and risk assessments.
A security policy should fulfil many purposes. According to http://www.sans.org, it should:
- Protect people and information
- Set the rules for expected behaviour by users, system administrators, management, and security personnel
- Authorize security personnel to monitor, probe, and investigate
- Define and authorize the consequences of violation
- Define the company consensus baseline stance on security
- Help minimize risk
- Help track compliance with regulations and legislation
Basic steps in Developing Information Security Policy
- Identify all assets that are required to be protected
- Identify all threats and vulnerabilities and likeliness of threats happening
- Identify the measures to safeguard the assets in a cost-effective manner
- Identify the roles and responsibilities of various parties and communicate them
- Monitor and review the process continuously for improvement.
ISO 27002 provides a comprehensive set of guidelines and controls comprising best practices in information security whereby it can be used as a basis to develop security policy. ISO/IEC 27002 provides best practice recommendations on information security management for use by those responsible for initiating, implementing or maintaining information security management systems (ISMS). Information security is defined within the standard in the context of the C-I-A triad:
the preservation of confidentiality (ensuring that information is accessible only to those authorized to have access), integrity (safeguarding the accuracy and completeness of
information and processing methods) and availability (ensuring that authorized users have access to information and associated assets when required).
Who is Responsible?