Brad Curtis | July 23, 2010
Implement, Communicate, Update, and Enforce Your Policy
My last post described how to develop a Security Policy from scratch. Some organizations may have a very basic policy in-place but do not communicate, update, or enforce the policy. This post provides some high-level direction on how you can get started.
Note: Most industry standards and regulations (e.g., PCI, SAS-70, GLBA, HIPAA, SOX, etc.), require you have, at a minimum, a written Security Policy that is communicated to employees, contractors, etc.
You do not need a committee to get started on implementing your policy. However, I would suggest a few very important administrative assurances before rolling it out:
- Technical Writer – have a tech writer develop, or at least, edit the policy
- HR Review – have HR review the policy to ensure it doesn’t conflict with your corporate culture or invoke an unnecessary burden to the company
- Legal Review – if an option, you should have a legal firm review the policy to ensure it is in line with local, state, and federal laws and regulations.
Once you have a Security Policy (albeit in many cases very basic), you can quickly take a step closer to compliance by implementing a few basic principals:
- Require all new employees to read your Security Policy (or all employees if you are starting from scratch with a policy for the first time)
- Notify employees of changes you make to the policy
- State the disciplinary actions, which may result from non-compliance
You should review the policy at least on an annual basis to ensure it is still valid, accurate, and applicable. You will always find there’s information missing or it is outdated.
When you do make changes to the policy, ensure you communicate those changes via e-mails or the company Intranet. This will reduce the cycles involved with HR when employee’s question why policy has changed and they were not informed.
Train employees on the importance of following the policy and the ramifications for not following it. Require employees to report any instances of non-compliance or incidents to your security officer, HR representative, or executive.
If you implement these basic principals, you are well on your way to having a solid Security Policy and program. Up next, I’ll discuss how you can take implementing your Security Policy to the next level and get you one step closer to a solid security program.
POST A COMMENT