|
Drivers of information security policies
Traditionally, security policies were driven by the need
to mitigate risks, which the organization's information assets
faced from external threats and internal vulnerabilities.
However, today they are also driven by the compulsion to comply
with legislative and regulatory obligations; and for underpinning
business expansion strategies by creating trust relationships
between the organization and its customers, partners and stakeholders.
From being mere instruments of risk management, security policies
today have morphed into becoming vital enablers of business
operations and strategic imperatives.
Implementing security policies
An organization's information security policy is driven
from the highest level. It starts with the Board of Directors
initiating a security program policy which is a formal definition
of the organization's posture and approach to information
security. It defines the business purpose for initiating the
security program and the goals sought to be achieved; delineates
the facilities, assets, hardware, software and personnel to
be included in the program, and defines the compliance imperatives
of the program by authorizing a framework to manage and monitor
the security status and initiate disciplinary actions for
violations. The CEO or Head of management is made the owner
of the security program.
The CEO implements the security program through a Security
Committee appointed for the purpose, or through the CIO/CSO.
A robust security program begins by clearly classifying the
information assets of the organization, and nominating their
owners, custodians and users along with their responsibilities
for safeguarding. This is followed by a risk assessment to
determine external threats to the information assets and internal
vulnerabilities in them.
The risk assessment provides a clear perspective of the risks
posed to each asset, probability of the risk materializing,
the impact on the business in the event of the asset's loss
or breach, the safeguards available to mitigate the risk,
and the cost of each alternative vis-à-vis its benefit.
The risk assessment is followed by development of the organization's
information security policies. The security policies would
aim to mitigate the risks identified during the risk assessment
exercise. At this point, the organization would also evaluate
the business processes to see if any security/privacy policies
would need to be put into place to meet legislative or regulatory
requirements, or for meeting other business strategies.
A common fallacy among many organizations is considering the
development of security policies as an end in itself. However,
development of enterprise security policies is actually the
'beginning' of the security process. Once the enterprise security
policies are developed, standards, guidelines and procedures
for implementing them on ground have to be developed. In larger
organizations, the Enterprise Security Architecture (ESA)
flows from the security policies.
A crucial phase in the implementation process of the security
policy is its dissemination to the employees and other concerned
personnel. The whole purpose of implementing security policies
is to inform people on what they should do to follow good
security practices, and to initiate disciplinary proceedings
in case they violate the security policies. However, a large
number of organizations do not have formal processes to distribute
the security policies across the enterprise to enable employees
become aware and incorporate good security practices in their
day-to-day work.
Though surveys show that about 50% of the Indian corporates
have documented security policies in place, the ground reality
is that very few of those security policies are effectively
implemented organization-wide. In fact, security surveys would
serve their purpose more meaningfully if they sought to project
a truer on-ground perspective — i.e. if they surveyed
to identify the number of organizations whose employees were
aware of their organizational security policies, not just
the number of organizations that simply owned a security policy.
Effective implementation of enterprise security policies is
an ongoing process. Changes in business process, strategies,
or external threat environment may all affect the risk posture
of the organization, which would necessitate a review of the
existing security policies to mitigate the new risks. Therefore,
effective security policies would require periodic review
to keep it in step with the business and risk realities.
|
