It is remarkable that a decade ago most businesses did not feel the need to have information security policies, as they did not consider it to be a significant risk. Today, almost every organization has a set of information security policies. These policies are created by consultants as a one-time project and then gather dust and nobody ever bothers to look at them.

Information security policies created a few years or even months ago can become outdated. A majority of organizations today have a set of comprehensive information security policies, but very few are able to confidently say that these policies are enforced consistently across the organization. Increasingly, regulations are mandating organizations to adhere to these policies and provide proof of conformance.

Defining the Information Security Policy Framework
Today most organizations don't manage their policy framework and compliance. Too often, they consider policy development to be a one-time project that does not require maintenance. In fact, information security policies must be managed as a process that has the following elements:

1. Business requirements gathering: This phase ensures that business requirements are gathered and understood. This could be generated from internal factors such as corporate governance goals, or operational goals of the business or external factors such as legal or regulatory requirements.

2. Policy creation: Policies are high-level documents that provide guidance for corporate behavior. They should not include specifics on how to implement the policies- implementation details should be addressed in standards, procedures and guidelines.

3. Metric definition: Defining a high level policy may not be enough to ensure compliance and consistent implementation. Therefore, organizations should also define the metrics that will be used to measure compliance.

4. Communication: The way policies are communicated within the organization can significantly affect their compliance. If the policy's communication is customized based on the needs of a particular group such as Finance or Marketing and only relevant policies are communicated to them, it will have a much greater impact.

5. Measurement and response: What gets measured gets done. If an organization does not measure compliance to its policies, and respond to violations, most people within the organizations will ignore its policies. The best way to measure compliance is to define the metrics and make people accountable for compliance to those metrics.

A. Tracking and reporting: Management must be aware of the strengths and weakness within their organization and reporting on policy compliance can highlight the areas of improvement.

Managing the Information Security Policy Framework
Over the past few years, we have heard about why we need information security policies, how to create effective information security policies, but what is often missing from this advice is how to effectively manage the whole “system” - the policy framework. For an information security policy framework to be effective, organizations need to:

Develop a Centralized Framework For Security Policy Management and Ownership.

Many large organizations today have hundreds of information security policies. It is common to see several different policies in different parts of the business addressing the same issue. Having centralized policy management and ownership not only reduces the duplication of effort, it provides accountability. To have a successful policy framework, organizations must:

1. Document the exceptions: There will be times when you'll have to make exceptions to the security policies due to business reasons. Organizations must have rigorous processes in place to ensure exceptions are documented, approved only for legitimate reasons and for a specific timeframe.


2. Senior managers must accept risks and define scope: Policies have to come from the top - only management can evaluate what is important for business and what needs to be protected. At the same time, management must also decide what is not important and in what cases the cost of protecting an asset outweighs the benefits of protecting it.


3. Map policies to regulations: It is not efficient to create a new set of information security policies every time your organizations needs to comply with a new regulation. Whether it is Sarbanes Oxley, HIPAA, and GLBA affecting your organization, the more policies exist, the more it is confusing. Organizations must also take into consideration all legal and regulatory requirements when creating policies and develop a single framework of policies that can be easily mapped to each one of the regulations effecting that organization. As new regulations or requirements get added, the existing policies must incorporate those changes.


4. Automate: Managing the policy framework can quickly become very complicated when various regulatory, legal and corporate governance requirements are taken into consideration. Automating the tasks and process of the information security policy framework can deliver efficiencies.


5. Decentralize implementation: Policy creation, management and administration should be separate from policy implementation. Organizations that have several diverse business units or have recently merged tend to have different tools and processes for security.

6. Revisit your framework regularly: You should institute a regular review process to ensure that your security policies are current and relevant. As businesses evolve, so do the internal and external security threats they face, therefore the security policies should be reviewed at least annually.


Khalid is a senior analyst in Forrester's IT Management & Services research group. His coverage areas include security strategy, organization, metrics, best practices, security awareness and security policy frameworks.