Developing a comprehensive information security policy will result in a more secure network but it first requires sound planning, company-wide support and time and effort, one IT security leader said today.Speaking at the InfoSec World Conference and Expo 2007 in Orlando, Florida, David Post, director of corporate information security at The McGraw-Hill Companies told about 40 people that an information security program is vitally important, especially for those organisations dealing with sensitive data.
"If you’re dealing with personally identifiable information, by law, if you have a breach of that personal information, your company has to respond," he said.
To achieve the right plan to prevent such situations from occurring, security professionals must first garner the support of C-level executives, Post said. He said security leaders should speak in money terms with business executives, forcing them to realise the cost of downtime associated with a crippled network.
"It would be very good for justifying the expense of your program," he said.
Once security professionals begin the development process (following a "high-level IT security review" of their controls and processes), the program’s policy should be succinct and contain general, non-technical information, according to Post’s presentation. When preparing documents, organisers should seek help from all parts of the organisation.
They must keep track of the latest versions of the documents – as they will change frequently – and ensure they are wholly focused on this project during the expected six-to-12 month creation period, Post said.
Standard categories of IT security policy include scope, responsibilities, authentication and identification, viruses, backup and recovery and incident response procedures.
Policies should also be written with longevity in mind, Post said. Decision-makers should develop content that does not have to be changed often to "minimise the maintenance effort," he said.
Once the policy is completed, security leaders should sell it to end-users. Creating brochures or posters or organising an an "information security awareness day" are some ways to get the message across.
"You can’t expect people to do something if they don’t know about it," he said.
Still, Post conceded there is no one-size-fits-all method for preparing and implementing a program.
"What I’m telling you probably won’t fit for your company," he said.
An audience attendee, the data steward manager for a leading financial services company who did not want his name used, said Post’s presentation was informative.
"The one thing we’re constantly trying to do is change the culture," he said. "One of the things we’re trying to do is to build awareness."