Fourteen Important Security Policy Strategies

Tuesday, May 24, 2011

Global Knowledge

0dc5fdbc98f80f9aaf2b43b8bc795ea8

Every organization needs a security policy. If you already have one, then there are several important considerations you need to make in regards to your existing security strategy.

If you have not yet designed your security policy, here are some important suggestions to integrate into your security stance. If you need direction on how to get started looking into the crafting of a security policy, read on for helpful tips.

1. A security policy is most effective when written down.

By writing down your organization's security goals, plans, and details, you are making a document that can be used for numerous purposes.

First, it serves as a guide as to where to focus your efforts. Second, it helps measure the success or progress of security implementation. Third, it assists in refocusing and re-doubling your efforts if they stray or are unsuccessful. Fourth, it serves as a foundation for future growth and adjustment.

A written security policy is available for authorized entities to read and review. This in turn establishes a common standard of implementation, management, and administration. Without a written policy, security efforts will be haphazard, aimless, and often unreliable. A written policy is a solid foundation on which to base a successful security endeavor.

2. The security policy should be a core element in all business decisions, not just in the IT department.

In the past, security was considered to be exclusively a concern for the computer nerds. However, in light of today's information economy, security is essential across every aspect of both small and large organizations. Without sensible security, an organization is at risk not only from malicious outsiders but also ill-intentioned employees or random mistakes.

By referencing or considering the security policy as part of all significant business decisions, those actions will be more likely to aid in the long term preservation of the organization rather than potentially contributing to short-term security deficiencies.

3. Employees must be trained how to follow a security policy.

It is a mistake to expect compliance with a security policy when employees are unaware of its existence as well as its content. It is also a mistake to believe that informing workers once of a security concern will be sufficient for long term compliance. Organizations need to adopt a training regimen.

Craft an awareness program that is administered to all internal personnel on a 6-month or yearly basis. This baseline security class is aimed at establishing a common foundation of minimal security throughout the organization.

Building on this baseline, you can develop job-specific training to direct each type of worker in the ways to be more productive as well as stay within the boundaries of the security system. All security training needs to be revised as often as the security policy itself is updated.

For employees who repeatedly violate security, provide additional security training. However, if after remedial training an employee is still unable to comply, that employee needs to be removed from a position where they can cause security violations. This could include termination just as well as job reassignment...

Download the complete report here:

Fourteen Important Security Policy Tips

Free White Papers From Global Knowledge:

Top 10 Skills in Demand in 2010

2011 IT Skills and Salary Report from Global Knowledge

Top 10 Security Concerns for Cloud Computing

10 Essential Security Polices

How Vulnerable Are Your Cisco IOS Routers

Possibly Related Articles:
16208
Policy
Information Security
Policy Enterprise Security Security Strategies Training Documentation Employees Global Knowledge
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.