Security Policy Development – The Why
While an organization can implement security protocols and work on internal and external security measures, there are considerations that may not be addressed. These can be critical to a security policy and procedures for the safety of the workplace and personnel. The National Center for Education Statistics presents a list titled Check Points for Policy Development and Implementation that can be a wakeup call for organization management concerned with security.
Because organizational security involves all organization levels and personnel, an effecctive policy can be challenging to formulate and put into practice. Security policy development is an organized collaborative process to produce a comprehensive and clear set of rules and practices for securing systems, personnel, and property.
Elements of a Security Policy
Before any direct action, a thorough risk assessment is conducted to identify possible threats to systems, personnel, and property. This assessment is shared with organization management and responsible parties in the implementation of these procedural steps:
- Critical systems and vulnerable sensitive information are identified.
- Keeping with ethical standards relevant to the process, local, state, and federal laws are considered as well.
- Define the goals and objectives relative to security in the organization.
- Develop a plan for achieving those goals and objectives.
- Set out processes and mechanisms to use in achieving goals and objectives.
Security policy development requires careful implementation of these steps for a satisfactory outcome.
Policy Logic and Construction
While Security policy development is mostly a collaborative effort between the security team and upper level management, the entire organization and all personnel should be involved when activities will impact their areas of responsibility. All levels of personnel should definitely be involved in the information gathering and assessment process, as they have the deepest knowledge of their areas of responsibility. Once a policy is in place, regular meetings are suggested with personnel regarding their areas of responsibility, possible new developments, and for feedback.
While internal personnel are important, consulting with others outside the organization is important as well. This brings information as to what other organizations have found effective, as well as what is not working. This is particularly true in sharing information as to new software or technology that other organizations are using and why.
Points to consider in policy development:
- reason(s) for the policy
- the reponsible parties for developing the policy
- laws or regulations that are to be considered in policy development
- responsible parties for policy enforcement
- information, personnel, and property to be protected
- specify required activities of responsible parties
- reporting procedures for incidents, breaches, and violations
- when the policy starts and ends
Incorporating these considerations in the security policy should result in a comprehensive plan ready for implementation.
Writing the text of the plan should consider:
- Verbiage should be concise, but it should also explain the underlying process while focusing on expectations and resulting consequences.
- State the requirements, necessary activities, and reporting processes as mandated, not suggested.
- Due to the varying levels of education in an organization, keep the language clear and understandable for all.
- Be clear in all terms and definitions to avoid misunderstandings.
- Use creative communication to present the policy, whether written, verbal, audio, or visual.
Define and set a schedule for beginning and ongoing training:
- Let personnel at all levels know the type and scope of training before policy implementation.
- Give personnel a schedule for refresher or ongoing training.
Covering all of the bases will assure successful security policy development and implementation.
Wrapping Up
The job has just begun with the rollout of a security policy. Technological innovation is ongoing and rapid, so continual monitoring of possible threats and policy updates is necessary. Kimmons Investigative Services and global security specialist Mitch Price deliver his experience in security policy development for Fortune 150 companies to clients. For questions on this or any other global security concerns, fill out this quick form and we’ll get back to you quickly.