Pakhnyushchyy - Fotolia


Developing consistent information security policy management

Never-ending network challenges mean IT and business leaders need to adopt a unified information security policy management platform.

I'm still quite surprised at the number of organizations that do not have formal security policies in place. Given the shocking regularity with which new security challenges -- and even outright failures -- come to light, consistent security policy management is an area of IT where no one is ever "done." And this problem is multiplied when IT administrators have to deal with multiple policies across multiple units within the organization -- a surprisingly common occurrence thanks to mergers and acquisitions. Add to that highly distributed divisions and subsidiaries -- not to mention the use of multiple networks, including public-access cellular, Wi-Fi and guest access on other organizations' networks -- and the problem grows even worse.

Drafting a security policy

Fortunately, with a little bit of work, it's possible to reconcile differences and assure a consistent information security policy management approach can be crafted without creating hassles for users or piling on new costs.

But let's begin with the security policy itself. Establishing a common security policy requires agreement on three key elements: a definition of what information is sensitive, possibly defining multiple levels as appropriate; a definition of who, job title or class, can have access to what information and under what circumstances; and what to do in the event of a breach. Once approved and implemented, a coherent information security policy management standard must be communicated, propagated and enforced throughout the organization. This means the security policy must provide consistency across what were likely disparate security policies and implementations. This approach will help the IT organization avoid conflicts in policy that add confusion, increase vulnerabilities and run up costs.

Commonality and committees

So the role of this organization is not just to bring the new guy up to speed; it’s to make sure compliance is universal, enforceable, and, ultimately optimal…

The first step in getting to commonality is to appoint a security policy review committee in charge of planning information security policy management. This ad-hoc group should represent all constituent organizations and should include both technical and management staffers. While a security policy usually does not define specific answers, it's important to make sure the policy considers the effort that might be required to bring all constituents into compliance. However, note that security is never a good candidate for compromise, and ultimately compliance must be achieved; otherwise, what’s the point of having a policy to begin with?

To ensure compliance, the policy review committee must embrace a reconciliation process. This may take time and there may be both political and technical sensitivities to overcome. The leader of this committee must therefore have both political and technical skills, along with the budgetary experience to move all players toward resolution. By the way, such an exercise is a great opportunity for innovation -- after all, if one constituent must make a change, perhaps this or other changes across all constituencies might be of value. So the role of this organization is not just to bring the new guy up to speed, it is also to make sure compliance is universal, enforceable and ultimately optimal -- the best possible result under the realities of operational, logistical and financial constraints. Just as in-place security policies should be reviewed no less than twice per year, the security policy review committee's work product is just that: a workable policy that considers implementation and costs as well as the security policy itself.

Once the committee completes its work, the next step is implementation. We recommend that another group, the security technical review committee, be formed to implement strategies that assure compliance and enforceability. Just as the security policy review committee considers technology, the security technical review committee also reviews policy. But the focus here is to assure all security standards are in concert with the security policy. Note the plural in the last sentence -- ideally, only a single implementation will be in place. But that may not be practical for a variety of reasons, including cost, especially support costs; logistics; or special requirements in a given business unit, perhaps one that works on government projects, for example.  This creates a need for a phased cutover to a new strategy, which, by the way, could take months or even longer. This committee will coordinate and review all requisite factors until a given implementation is ready for certification under the security policy. Since one is never "done" when it comes to security -- as changes, modifications, and upgrades to network protections are likely constant over time -- IT operations must eventually assume control here.

Unifying the information security policy

All of this might seem like a lot of work -- and it is -- but given the requirement for a unified security policy, such a thorough and tightly controlled strategy is clearly indicated. A final point: While commonality in security standards is always desirable, commonality alone is insufficient unless the security policy is carefully aligned with overall organizational goals. And as these change and evolve over time, well, you get the picture. Finally, keep this in mind: Even if  information security policy management can indeed be unified, security challenges are perpetual. A strong footing here can only result from a rigorous unification process.

Next Steps

Understanding wireless networking security

Choosing the best network security certifications

How to develop a network security policy

This was last published in November 2015

Dig Deeper on Network Security Best Practices and Products