Planning Your Security Policy

There are three factors to keep in mind when planning your policy. The first requires you to express the goals of your policy.

What are you trying to accomplish? What are you trying to protect? The second step requires you to scan the work environment

and identify vulnerabilities that exist within current processes. The final step asks you to create a plan of action that will help

alleviate the flaws. All are equal contributors to planning success.

Step 1: Setting Goals for Your Security Policy

Your security policy goals should run parallel with the goals set for your company. For example, if your company is customer

oriented, then a goal of your security policy should be to protect your customer and their data through use of encryption and network security.

Furthermore, all parties should play a role in goal setting. This is crucial because if a security breach was to occur, each

department plays a different role in the recovery process, as well as in re-evaluating procedures for policy improvement. Global

involvement allows each department time to invest in the policy, ensuring a higher level of cooperation when the time comes to

implement the policy.

Step 2: Identifying Security Vulnerabilities

A company must examine existing procedures and identify all processes that pose a security risk. For example, policies regarding

data management; how data is protected during storage, how long it is kept and proper methods for data deletion are common pains in the corporate world. Some questions that may help identify such vulnerability include:

What types of sensitive information does your company handle?

Which department handles each piece of sensitive information?

Is sensitive information stored with non-sensitive information?

Such questions should spur some thought as to what changes need to be made in order to begin alleviating the risks that

accompany current processes within departments.

Step 3: Creating a Plan of Action

After identifying which processes require change, create a plan of action for mitigating these risks. Each plan should consider

how long it will take for the each change to occur, what type of training is necessary for each individual/department to meet the

newly adopted standards and also what responsibilities each individual/department can be held accountable for (i.e. how often are gap analyses regarding security conducted and who conducts them?)

For more tips on developing a sound security policy, I recommend check out the Security Company Resource

Center.