point
Menu
Browse by year:
The Smart Techie was renamed Siliconindia India Edition starting Feb 2012 to continue the nearly two decade track record of excellence of our US edition.

Managing your information security policies

Khalid Kark
Tuesday, January 31, 2006
Khalid Kark
It is remarkable that a decade ago most businesses did not feel the need to have information security policies, as they did not consider it to be a significant risk. Today, almost every organization has a set of information security policies. These policies are created by consultants as a one-time project and then gather dust and nobody ever bothers to look at them.

Information security policies created a few years or even months ago can become outdated. A majority of organizations today have a set of comprehensive information security policies, but very few are able to confidently say that these policies are enforced consistently across the organization. Increasingly, regulations are mandating organizations to adhere to these policies and provide proof of conformance.

Defining the Information Security Policy Framework
Today most organizations don't manage their policy framework and compliance. Too often, they consider policy development to be a one-time project that does not require maintenance. In fact, information security policies must be managed as a process that has the following elements:

1. Business requirements gathering: This phase ensures that business requirements are gathered and understood. This could be generated from internal factors such as corporate governance goals, or operational goals of the business or external factors such as legal or regulatory requirements.

2. Policy creation: Policies are high-level documents that provide guidance for corporate behavior. They should not include specifics on how to implement the policies- implementation details should be addressed in standards, procedures and guidelines.

Share on Twitter
Share on LinkedIn
Share on facebook