IT Audit (8) IT Operations (29) IT Security (11)

Information Security Policies and Standards

Information Security Policies and Standards are often overlooked as the "important but not urgent" side of the Information Security field and are given secondary importance (with technology tools taking precedence.)

We've all heard that maxim that Information Security risk assessments must be completed prior to Information Security policies. The newly appointed Information Security manager coming into an organization often looks at what is required to do a full risk assessment and decides that they can get the most benefit by skipping a lengthy risk assessment/policy combo and go with their gut feel and implement technology "solutions". I hear this story often and unfortunately it does the Information Security program a disservice in my opinion.

I agree that an Information Security Risk Assessment is a requirement, but I propose shifting the order of things a bit to give the new Information Security manager some needed traction in the organization. If you can get management's intent codified in policies, you set up your program to succeed from the beginning, because your Information Security program is based on management's intent rather than the security person's perceived whim.

Since a risk assessment isn't always practical for someone coming into the organization that needs a revamped security program in a short period of time, basing your policies on an internationally recognized framework lends credibility to your suggestions and gives your senior management a level of comfort that things aren't being missed. After you establish the policies and communicate them, you can then build your credibility within the organization.

After you have established yourself as business aligned and focused on what matters, you will have more time to do a proper risk assessment over a longer period of time. More on this subject to come in future blog postings.

Published Friday, August 08, 2008 5:12 PM by Paul Love

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Comments

# re: Information Security Policies and Standards

Thank you for sharing useful information about Information Security Policies and Standards because no one knows clearly about it.Now they will know it clearly.



http://www.hacker4lease.com/
Wednesday, October 22, 2008 10:07 PM by Hacker4lease

What do you think?

(required) 
required 
(required)