When I look at some organisation’s security policies I wonder who they were written for, and why? Often they seem to miss the basic idea of having a policy at all. Maybe some organisations don’t see the point in having a framework of well-defined policies, creating them mainly for compliance purposes to get their tick in the box. While this is not true of all organisations, I get the feeling that some underrate the value of a good set of policies embedded into a well-defined policy governance framework.
If you ask me what the issues with these policies are, you might be surprised by the answer. I think it is often the basics that are not understood—like the difference between a policy, a procedure, a standard and an implementation guideline. Policies need to be view in the context of the organisation. For example, why have an information security policy if it is not clear how it relates back to your organisation’s business strategy and risk approach? You should have policies for each of these areas, but are these reflected in how your policies are structured, such as by a well thought-through policy framework? Can whatever your information security policy defines be clearly traced back to your organisation’s risk posture without such a structure?
In my view, policy should be to an organisation what law is to the general population. Policies defines the rules and boundaries all employees, and in some cases third parties, have to abide by. They can be applicable to the whole population—all employees—or only parts of it, depending on the context, but, policies must go beyond what the legal system provides and policies should also be leveraged in a different way.
Register or Login to continue
This article is only available for subscribers. Sign up now for free and get free access to premium content from ARN, CIO, CSO, CMO, Computerworld, and PC World.