Developing and Maintaining Policies

Overview

Organizations should not approach information security in an ad-hoc manner. One way of ensuring that an organization’s approach to information security is deliberate and planned is to document rules and procedures as organizational policies.

Organizational policies can provide stakeholders within the organization with clarity about not only how sensitive information is to be protected, but which people within the organization are responsible for configuring and maintaining the controls that provide that protection. If there aren’t policies that specify what responsibilities exist when it comes to the security of information systems, it’s possible that some individuals may perform actions in the service of securing information systems that exceed what would be, on further consideration, to be acceptable and that other individuals take minimal action to protect information systems because their responsibility for those systems isn’t clearly delineated.

For example, there have been scenarios where the administrators of security systems have refused to hand over administrative account passwords to superiors when requested. In some cases, this is because the administrators of those systems believe that doing so would compromise the security of those systems. In other cases, it was because the administrator of those systems had reason to believe that the superior was attempting to circumvent the security controls of those systems. A clearly defined policy would spell out when such a request should be honored and when such a request should be refused.

Policies that clearly delineate responsibilities assist organizations that are under attack because they spell out which individuals in a crisis should perform tasks and how those tasks should be performed. If responsibilities are not clearly delineated, it’s possible that mistakes could be made in responding to the attack that leads to more severe consequences.

Policies should be developed in conjunction with all stakeholders. Your organization may be subject to specific regulations around data breaches. These regulations may determine which people within an organization are responsible for performing specific actions when a breach occurs. For example, that the CIO or the organization’s compliance officer must report the breach to a specific authority within 48 hours of a breach being detected.