Security policy checklist

As a general guideline the information security policy statement should include:

· A definition of information security with objectives and scope of the topic as seen be the corporate management team;

· A statement of management commitment to the implementation of the aims of the policy;

· A rationale for spending time and effort on establishing security. How and why it is important to the organisation and its future;

· An explanation of the need for specific aspects of the policy, such as virus controls or the need to meet specific legislation;

· The allocation of responsibilities for the continued implementation of the policy;

· An explanation of the process for reporting breaches of security.

It is equally true that any policy or given set of rules will sooner or later be found wanting.

The intention to review these corporate requirements, as an executive function, from the top down, must be conveyed in the policy statement. Many organisations leave this review process in the hands of their audit department. The expression "audit and review" can be misleading in that it suggests that these two important functions can be combined. The review process can easily become entangled with the audit function but it is important to remember that Auditors are employed to check the compliance with the rules, they are not strictly speaking supposed to make the rules which they audit to. This poacher and gamekeeper approach is inevitably doomed to fail.

Experience shows that if employees are failing to adhere to the rules, it is often because the rules are poorly written or that they no longer apply because the organisational business has changed in some way. The issue of employee access rights and permission levels is especially vulnerable to these gradual, evolutionary changes in working practices.

It is essential that the procedures are owned and set by the corporate management chain and not by the Auditors. Auditors may be required to advise the management as to the statutory, regulatory and legal implications of any given working procedures but only the organisation management should be allowed to publish the rules as to how those procedures are achieved.

Equally only the corporate executive can legitimately change the organisation policy. It seems unlikely that any Board of Directors would allow their internal or external Auditors to determine their organisation policies, so why let them make the rules by which those policies are delivered?

An Introduction To Information, Network and Internet Security
Security policy checklist As a general guideline the information security policy statement should include: · A definition of information security with objectives and scope of the topic as seen be the corporate management team; · A statement of management commitment to the implementation of the aims of the policy; · A rationale for spending time and effort on establishing security. How and why it is important to the organisation and its future; · An explanation of the need for specific aspects of the policy, such as virus controls or the need to meet specific legislation; · The allocation of responsibilities for the continued implementation of the policy; · An explanation of the process for reporting breaches of security. It is equally true that any policy or given set of rules will sooner or later be found wanting. The intention to review these corporate requirements, as an executive function, from the top down, must be conveyed in the policy statement. Many organisations leave this review process in the hands of their audit department. The expression "audit and review" can be misleading in that it suggests that these two important functions can be combined. The review process can easily become entangled with the audit function but it is important to remember that Auditors are employed to check the compliance with the rules, they are not strictly speaking supposed to make the rules which they audit to. This poacher and gamekeeper approach is inevitably doomed to fail. Experience shows that if employees are failing to adhere to the rules, it is often because the rules are poorly written or that they no longer apply because the organisational business has changed in some way. The issue of employee access rights and permission levels is especially vulnerable to these gradual, evolutionary changes in working practices. It is essential that the procedures are owned and set by the corporate management chain and not by the Auditors. Auditors may be required to advise the management as to the statutory, regulatory and legal implications of any given working procedures but only the organisation management should be allowed to publish the rules as to how those procedures are achieved. Equally only the corporate executive can legitimately change the organisation policy. It seems unlikely that any Board of Directors would allow their internal or external Auditors to determine their organisation policies, so why let them make the rules by which those policies are delivered?	The Security Practitioner An Introduction to Information Security
Return To An Introduction to Information Security