What is Security Policy Management?

A security policy management program is associated with the management of security policies within an environment. The goal of this program is to keep security policies updated, relevant, and standardized within an environment. The following elements and processes are generally associated with security policy management.

Security Policy Management Elements:

A Workflow Diagram – This diagram illustrates all of the associated processes associated with security policy management.

Process Documentation- Every process area related to security policy management should have defined roles and responsibilities, business rules and related tools for each process.

Associated Role- Security policies are often managed within an environment by the security analyst role

Security Policy Management Tools- Any repeatable techniques or technologies in associated with security policy management.

Associated Security Policy Management Processes:

Security policy management is generally comprised of the following processes:

Policy Scope Determination – Defines the reach of a policy set as well as the types of documents (policies, standards, guidelines, process, or charter documents that are included within the managed documentation.

Policy Development- The development of a suite of policies, standards, guidelines etc within the environment.

Policy Ratification- The process of approving the security policies for the environment.

Policy Publication- This is the official publication location, either digital, hard copy or both of the policy suite within the organization.

Policy Training & Awareness- The training and awareness component associated with the policy suite.

Policy Reviews- The process of reviewing security policy documentation on a repeatable basis, often at least annually.

Policy Updates- The updating of security policy documentation within the environment.

Policy Exception Management: The management of exceptions to the security policy documentation within the environment.

Policy Deletion – The removal of security policies from the environment

Policy Archival – The archival of security policies documentation, either current or retired within the organization.

As always, please provide your feedback to CISO Handbook team or Mike.Gentile@cisoshare.com or follow me on Twitter; I always read them.