Security policies are often written by people who have security expertise but not policy expertise.
Having trouble creating an effective security policy for your organisation, but not sure of the best approach to developing one? You’re not alone.
It’s one thing to know how a security environment should be constructed, but translating this into a written set of enforceable rules is a discrete skill. Despite the wealth of resources on writing information security policies, companies still struggle with balancing the right level of guidance, a sufficiently direct style and a risk-based approach.
According to Rob McMillan, research director at Gartner: “If you can’t translate your requirements into effective policy, then you’ve little hope of your requirements being met in an enforceable way. But if you get it right, it will make a big difference in your organisation’s ability to reduce risk.”
Your security policy defines and documents your organisation’s established position about the security risks that must be controlled to meet the risk appetite of the business, which will ultimately fund security controls and bear any residual risk.
By 2018, 50 percent of organisations in supply chain relationships will use the effectiveness of their counterpart’s security policy to assess the risks in continuing the relationship, up from 5 percent today. The importance of an effective security policy can’t be ignored.
Approach security policy development as a process
It’s a mistake to assume that you can successfully develop policy by having a knowledgeable person compose a document in one sitting in isolation from the rest of the organisation. This will alienate the rest of the organisation and lead to high levels of resistance and counter productivity.
“Successful policy outcomes almost always require a process of consultation and iteration before a final, sustainable policy position is drafted,” said Mr. McMillan. “If you can’t defend your process, then you can’t defend your policy.”
Find out more about effective security policy on Smarter with Gartner website.
Gartner clients can read more in the report ‘Five Golden Rules for Creating Effective Security Policy.’
Mr. McMillan will speak on fixing broken security policies at Gartner Symposium/ITxpo on the Gold Coast, Australia, October 26-30.
Gartner Symposium/ITxpo is the world’s most important gathering of CIOs and other senior IT executives. IT executives rely on these events to gain insight into how their organizations can use IT to overcome business challenges and improve operational efficiency.
Upcoming dates and locations for Gartner Symposium/ITxpo 2015 include: November 8 – 12, Barcelona, Spain