The Process
The first step in writing your policies is to gather a team. Writing a set of security policies is usually a top-down process, but it does not have to be, and may combine bottom-up and top-down approaches. Your policy development team should be made up of people who work with your network and the Internet, but come from different functional areas of the company. Each manager in your company has a unique view of the company's needs and risks. You need people who know something about the technology, but also some who know about business.
Include some people from the trenches, too. There is nothing less useful than a painstakingly documented security policy that, when implemented, makes the shipping department unable to track packages, or blocks the sales reps from network resources they need from the road.
However, don't let the process of forming the committee halt all progress. Remember, well begun is half done; you can start developing the drafts with just a few knowledgeable IT staffers.
Before writing any policies, scope out your business requirements. What regulations apply to your industry (GLBA, HIPAA, Sarbanes-Oxley, ISO17799, new state or local laws, etc.)? Get familiar with penalties for any non-compliance, as this will help you prioritize your policies and gauge the proper level of discipline for employees who do not adhere to policy. To consider other business issues, ask yourself:
The first step in writing your policies is to gather a team. Writing a set of security policies is usually a top-down process, but it does not have to be, and may combine bottom-up and top-down approaches. Your policy development team should be made up of people who work with your network and the Internet, but come from different functional areas of the company. Each manager in your company has a unique view of the company's needs and risks. You need people who know something about the technology, but also some who know about business.
Include some people from the trenches, too. There is nothing less useful than a painstakingly documented security policy that, when implemented, makes the shipping department unable to track packages, or blocks the sales reps from network resources they need from the road.
However, don't let the process of forming the committee halt all progress. Remember, well begun is half done; you can start developing the drafts with just a few knowledgeable IT staffers.
Before writing any policies, scope out your business requirements. What regulations apply to your industry (GLBA, HIPAA, Sarbanes-Oxley, ISO17799, new state or local laws, etc.)? Get familiar with penalties for any non-compliance, as this will help you prioritize your policies and gauge the proper level of discipline for employees who do not adhere to policy. To consider other business issues, ask yourself:
- What services are required for your business, and how might you provide them securely?
- How much do employees depend on Internet access, use of email and availability of intranet services?
- Do your users need remote access to the internal network?
- Is there a business requirement for everyone to have access to the Web?
- Do customers access your data (technical support, order status, etc.) via the Internet?
It takes discipline to ask repeatedly, "Is there a business requirement?" for every service. But the business requirements are the most important drivers of your security policies. Business drivers help you distinguish between what the organization really needs, as opposed to what a few employees want. If you have trouble getting started, look at what you are already doing and ask, “Why are we doing that?” The answer will kick-start your response to the questions above.
No comments:
Post a Comment