Below are the top six considerations when developing security policies for your organization:
1. Have a Security Policy Management Process: Many organizations write their policies as a point in time exercise and do not realize that Security Policies are living documents. As soon as you develop a set of policies, make sure you have a documented process for making additions, changes, and deletes to that policy set.
2. Ensure They are Written with the Same Style: Policies generally evolve and are developed over varying time periods by different people. Make sure that you develop ground rules that illustrate acceptable styles and promote similarity between various policies regardless of their authors. In addition, always look at your policies as a set and not an individual perspective. This will help promote policies and are easier to understand and are of more value to the organization.
3. Understand the Audience for Each Policy: Build your policies with an understanding of the audience that will be consuming each document. For example, you may want to put all of your network security elements for your organization in a network policy, which will be consumed by Network personnel. This can be more effective than having network security statements scattered throughout the policy set. This seems like common sense, but since many of the frameworks used for policy development do not follow this approach, most organizations get lost right at the start. Just as important, ensure that you clearly illustrate the difference between policies, standards, guidelines, and procedures within your policy set.
4. Publish your Security Policies: Ensure that the various audiences within your organization have the ability to easily view your security policies. Publishing your policies in areas such as a company intranet can make it easy for those in your organization to understand what they are supposed to do from a security perspective. Most of the time many employees want to do the right thing, they just do not understand what the right thing is.
5. Define Everything: If your security program strategy states that you are going to be proactive, yet your security program only focuses on conducting audits, your approach is going to run into trouble. Build a strategy that is appropriate, practical, and is something that you can build within the other components of your program.
6. Their is no Wrong Approach: Understand what works best for your organization, and then build your security policies accordingly.