In many situations, Security policies become an organisation's first line of defence, but very often they do not play as critical a role as they should.
Security policies are developed and implemented to be living documentation that needs to be created in such a way to suit generally to the employee population, third-party auditors, the IT department, as well as potential partners and suppliers and any other stakeholder of the organisation.
The secret behind successful and effective security policies is that they should be written so that updates and modifications do not become cumbersome task but can bring a call to action to prevent breaches from occurring, or lay out the proper procedures and processes should an incident occur.
Most organisations prefer to develop security policies themselves, using common sense and their own experiences and requirements as a guideline. However, there are also software packages available, both commercial and freeware, that automate the ability to create these policies.
The actual setting of security policies within an appliance, such as the firewall server, is the other aspect of policy management.
Companies need to make sure that the policies are flexible enough to allow information to flow, but not so lenient that the doors to the organisation are completely open.
It is a fine balance that needs to be monitored closely and consistently, but often isn't. The reason for today's renewed interest in security policy is the continued expansion outside the traditional boundaries of an organisation with partners and suppliers, as well as a closer tie-in to responses to business continuity should a disaster occur.
Many external relationships are demanding to review security policy documents and configurations before doing business to ensure that the transfer of information and Intellectual Property (IP) will be secure from one company to the next.
This awareness will only continue as IP is more easily shared across the Internet. Organisations need to ensure that they are no longer simply meeting the minimum requirements of the security policy document to keep the auditors content, but that they understand the maintenance of policies becomes not only a matter of strong password protection, but one of trusted relationships and an avenue to create additional revenue
How to prepare and implement a policy :
Be clear about the risks you are trying avoid.
Consult staff about the proposed policies for their feedback.
Ensure there is a balance between practicality and control. Remember that trust is as important as supervision.
If you use a lawyer's policy, check to make sure that it applies to your circumstances and that it is easy to understand.
Where appropriate, include the new policies in staff handbooks, new employee induction, intranet sites and so on.
It needs to tie in with your disciplinary procedures, employee contracts and other policies.
Make sure that everyone sees the policy once it is finalized.
Make sure that the policy is available for people to consult.
Someone in the company should be responsible for implementing and monitoring the policy.
Keep the policy under review to make sure it stays current.