An End-to-End Security Information Policy Framework

The current business environment is undergoing considerable change including rapid and disruptive innovation, employee base reorganization and relocation, and corporate divestiture and consolidation. 

The global nature of today's commerce presents non-trivial challenges from a security perspective, including policy formation and localization, system monitoring, the implementation of appropriate security controls, and security auditing.  

To overcome these complexities and create a business-centric, effective information security program based on international standards and industry best practices, the organization must adapt a flexible yet stable information security policy set.  As the organization develops and moves forward with its business strategy, the information security department must work with business leaders to define and create a framework that enhances security posture and adds value to the company.

The key to an effective information security policy posture is balance.  Loose security controls result in data spills, loss of consumer confidence, and reduced competitive advantage.  Tight security results in lack of usability, decreased data access, and loss of operational efficiency.

Long-term success also relies on the continued maintenance and enforcement of policy; it must remain relevant to the evolving business and technical landscape. Information policies can remain in effect for years, and thoughtful selection of appropriate tools, boundaries, and controls will enable agile response downstream.

WHERE TO START

Begin by examining all business inputs to the policy process.  This analysis includes the business model and forward strategy of the organization; consider all aspects of the organizational structure and product lines.  Policies must support the business, not throttle its effectiveness, and it's important to begin (and continue) the assessment with this in mind.

Next, consider the technical side of the equation.  What is the current data dictionary?  What data is critical to the business?  What personally identifiable information (PII) must be protected?  How is data managed and stored within the information architecture?  What risk assessments have been performed and what did they reveal?  What ongoing security audits are in play?  How does implementing a stronger security posture impact performance under existing service level agreements?

Maintaining enterprise awareness throughout the  policy, procedure, and process selection is a guiding perspective in selecting the appropriate industry standards. This approach simplifies overall policy selection, approval, implementation, and communication.