Skip main navigation

Developing and Maintaining Policies



Organizations should not approach information security in an ad-hoc manner. One way of ensuring that an organization’s approach to information security is deliberate and planned is to document rules and procedures as organizational policies.

Organizational policies can provide stakeholders within the organization with clarity about not only how sensitive information is to be protected, but which people within the organization are responsible for configuring and maintaining the controls that provide that protection. If there aren’t policies that specify what responsibilities exist when it comes to the security of information systems, it’s possible that some individuals may perform actions in the service of securing information systems that exceed what would be, on further consideration, to be acceptable and that other individuals take minimal action to protect information systems because their responsibility for those systems isn’t clearly delineated.

For example, there have been scenarios where the administrators of security systems have refused to hand over administrative account passwords to superiors when requested. In some cases, this is because the administrators of those systems believe that doing so would compromise the security of those systems. In other cases, it was because the administrator of those systems had reason to believe that the superior was attempting to circumvent the security controls of those systems. A clearly defined policy would spell out when such a request should be honored and when such a request should be refused.

Policies that clearly delineate responsibilities assist organizations that are under attack because they spell out which individuals in a crisis should perform tasks and how those tasks should be performed. If responsibilities are not clearly delineated, it’s possible that mistakes could be made in responding to the attack that leads to more severe consequences.

Policies should be developed in conjunction with all stakeholders. Your organization may be subject to specific regulations around data breaches. These regulations may determine which people within an organization are responsible for performing specific actions when a breach occurs. For example, that the CIO or the organization’s compliance officer must report the breach to a specific authority within 48 hours of a breach being detected.

This article is from the free online

Microsoft Future Ready: Fundamentals of Enterprise Security

Created by
FutureLearn - Learning For Life

Our purpose is to transform access to education.

We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.

We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.

Learn more about how FutureLearn is transforming access to education