Developing an Enterprise IT security policy

Last updated: 21 March 2014

Security is as much about the use policies as it is about technology deployed – in fact some might argue that defining policies for network security is the most important step no matter how sophisticated your security architecture. I will leave that discussion for another blog post. With this in mind, today we have a guest contributor to the Enterprise Security blog, Joe Schembri from Villanova University, who gives us some helpful hints on how to develop an enterprise IT security policy.

An effective IT security policy considers the organization’s mission, the possible threats, the critical assets that need protection, and the risks against known vulnerabilities.  Your IT policy is the document you will use to develop your company’s procedures and guidelines.  Looked at another way, the policy states what needs to be done, and the procedures and guidelines state how.

Factors to Consider
Make sure you have a clear understanding of the mission of the organization as well as the most important assets you will need to protect. These assets are both physical (employees, building, and servers) and logical (your data).

Assess your threat risk carefully. If your business is small, your threat level will likely be much lower than if you are a large government agency or a Fortune 500 company.

Define the Scope of the Policy
At the beginning of your policy document, state exactly what the policy will cover and what it will not cover.  By clearly defining the scope of the policy from the start, you will provide meaning and clarity to those who need to work with the policy and translate it to the practical procedures and guidelines.  A clearly stated scope will make understanding and implementation of the policy easier for everyone.

Define the Target Audience
Determine who the stakeholders are for each section of the policy.  Write with your specific audience in mind.  If your key stakeholders are executives (and they normally are), then know the agenda for each of them and address it accordingly.  For instance, the CEO would focus on the business-impact analysis, the CIO would address overall infrastructure and architecture, and the CISO would be concerned with the critical infrastructure, risk, mitigation, vulnerability and assets.

Keep the policy at a high-level
While it is critical to be clear in your policy scope and use specific language that targets different audiences, you will need to keep your document general and broad.  It’s important to return to this concept throughout the entire process, because if you go too far into detail, you’ll find yourself getting away from policy and moving too much into procedures and guidelines.  .

Remember Your Weaknesses
You want your policy to remain aligned with your company’s goals, so always be mindful of the weaker areas and gaps in your organization.  When you recognize these, you can work to bridge these holes, creating a document that still keeps the mission and business-impact analysis at the forefront.

This article is brought to you by University Alliance on behalf of Villanova University’s online programs. Villanova offers information security training with concentrations on both private and government entities. Several security programs are available to expand your IT security career.