How to Successfully Integrate Security Policy

The ISASC perfectly outlines the key pieces for a successful security policy: “Senior management commitment to information security initiatives. Management understanding of information security issues. Information security planning prior to implementation of new technologies. Integration between business and information security. Alignment of information security with the organization’s objectives. Executive and line management ownership and accountability for implementing, monitoring and reporting on information security” (2005).

Security policy should always support a business’s mission. Management must be shown that security impacts all aspects of business. Robert Shimonski, writing for WindowSecurity.com, says that a good way to get management buy in is to “explain the risks involved and see if you can hit a happy medium” (2004). Cisco Systems recommends establishing a “cross-functional security team led by a Security Manager with participants from each of your company's operational areas. The representatives on the team should be aware of the security policy and the technical aspects of security design and implementation. Often, this requires additional training for the team members. The security team has three areas of responsibilities: policy development, practice, and response” (2007). By having the general company management participate in the security policy creation process it will allow them to better understand the impact that security policy has.

Robert Shimonski recommends that HR be responsible for communicating the finished policy to all employees (2004). At Trinity Health, we are required to sign that we have read and agree to comply with the security policy. In addition to signing when we are hired, re-reading and signing the policy is part of the annual review process. Another good way to communicate the policy is to publish it and ask all employees for feedback.

The security department needs to interact with other company departments as if they were almost a consulting firm. The security department should be there to ensure that high level enterprise security policy is created, but then work with each department to create specific and relevant security policy to meet the security needs of individual departments. Too often, a one size fits all sort of security approach can turn departmental managers off to security. What is good for the accounting department is not always good for the customer service department. The ISACA recommends that “priorities must be clearly set and established in the security strategy with key performance indicators approved by the highest level of the organization to help ensure that the goals will be effectively and consistently managed, monitored and executed” (2005).

Human Resources and the legal department are two extremely important departments to work with when creating a security policy. HR needs to ensure that any punishments for security violations are acceptable and they should be responsible for following through with the punishments. If violations are not handled the same throughout the company it will lead to distrust. Also, the legal department should review the policy for any governmental regulation compliance that applies.

Cisco Systems Inc. (2007) “Network Security Policy: Best Practices White Paper.” Retrieved October 22, 2007 from http://www.cisco.com/warp/public/126/secpol.html ISACA. (2005) “Critical Elements of Information Security Program Success” Retrieved October 22, 2007 from http://www.isaca.org/Template.cfm?Section=Downloads3&Template=/ContentManagement/ContentDisplay.cfm&ContentID=23217

Shimonski, Robert J. (2004) “Defining a Security Policy” TechGenix Ltd. Retrieved Octover 22, 2007 from http://www.windowsecurity.com/articles/Defining_a_Security_Policy.html?printversion