A policy is a foundational aspect to the development of a strong information security program. When developing a policy, you should ensure that you follow a few key principles:
- Receive board-level / CEO approval and support:
- Without CEO or board-level backing, a security program is doomed to fail
- You should only create a policy that you intend to follow:
- This means do not create a policy for the sake of the documentation. A policy that sits on the shelf and is never used does not help anyone.
- Policies that you don't follow will be used by an auditor to show that you are deficient:
- If you have policies follow them.
- Ensure your policies are implementable:
- There are many ways that a security standard can be met, and your policies should reflect the way that your organization wants to implement a standard
- Do not describe four points in a policy if you intend to only implement two of them if those two provide adequate risk mitigation
- A policy needs to take into account the organization's appetite for accepting risk:
- Consider the value of the information that your organization owns.
- Consider what would happen to the organization if you lost control over the confidentiality, integrity, and/or availability of the information:
- Are you trying to safeguard trade secrets or sensitive proprietary information (confidentiality)?
- Does information need to be accurate at all times (integrity)?
- Could the organization effectively operate without its information (availability)?
- Answers to questions like these, combined with an understanding of you organizations risk appetite, will inform your policy development.