Page 19 - DCAP516_COMPUTER_SECURITY
P. 19
Unit 2: Information Security Policies
tools, showing what the company’s stance is on best practice issues and that they have controls Notes
in place to comply with current and forthcoming legislation and regulations.
Notes In today’s corporate world it is essential for companies to be able to show compliance
with current legislation and to be prepared for forthcoming legislation.
Policy can be used to help companies ensure they have the controls in place to work towards
compliance by mapping policy statements to legislative requirements. In this way they can
provide evidence that their baseline security controls are in line with regulations and legislation.
This type of stance will also give companies an indication based on legal requirements of what
they need to protect and to what extent. This will help to ensure that they target security controls
only where they are needed, a benefit from both a financial and personnel resourcing perspective.
Policies as Catalysts for Change
It is also possible to use policies to drive forward new company initiatives, with policy acting as
the catalyst for future projects which move towards better security and general practices. For
example, a policy stating that a certain type of encryption is required for sensitive information
sent by email may (with prior consultation with the appropriate technical experts) help to
promote the need to develop such a capacity in the future. The presence of this requirement in
policy has made sure the impetus to develop the email encryption project has remained strong.
In short, security policy should be a useful tool for protecting the security of the Enterprise,
something that all users can turn to in their day-to-day work, as a guide and information source.
All too often however, security policies can end up simply as “shelfware”, little read, used, or
even known of by users and disconnected from the rest of company policy and security practice.
Policies must be Workable
The key to ensuring that your company’s security policy is useful and usable is to develop a suite
of policy documents that match your audience and marry with existing company policies.
Policies must be usable, workable and realistic. In order to achieve this it is essential to involve
and get buy-in from major players in policy development and support (such as senior
management, audit and legal) as well as from those people who will have to use the policies as
part of the daily work (such as subject matter experts, system administrators and end users).
In order to achieve this, one important element is to communicate the importance and usefulness
of policies to those who have to live by them. Often users seem to think that policy is something
that is going to stand in the way of their daily work. An important element of policy development,
and to ensure policies are put into practice and not rejected by the users, is to convey the message
that policies are useful to users: to provide a framework within which they can work, a reference
for best practice and to ensure users comply with legal requirements. Once users realize that
policy is something that may actually help them as they do about their work, they are much
more likely to be receptive to both helping you develop it and living up to it to ensure compliance.
Similarly, once senior management realize that policy is a tool they can leverage to help ensure
adherence to legislative requirements and to move forward much needed new initiatives, they
are much more likely to be supportive of policy in terms of financial and resourcing support as
well as becoming policy champions themselves.
LOVELY PROFESSIONAL UNIVERSITY 13
