Building an Effective Information Security Policy Architecture

Posted on by Ben Rothke

My full review of Building an Effective Information Security Policy Architecture is at Slashdot

Security policies are like fiber, that is, the kind you eat. Everyone agrees that fiber is good for you, but no one really wants to eat it. So too with information security policies. They are sorely needed, but most users don't go out of their way to comply with them. And in many firms, they are not even trained in what they have to do. But failure to have adequate information security policies can lead to myriad risks for an organization. 

For the sake of a basic definition, a policy is a formal, brief, and high-level statement or plan that embraces an organization's general beliefs, goals, objectives, and acceptable procedures for a specified subject area. The purpose of information security is to protect an organization's resources. The cornerstone of any information security strategy is a robust set of policies, procedures, standards and guidelines. 

There are many reasons what information security policies are needed. Some of the most imperative reasons are: 

  • To inform users of their information protection duties
  •  Advise them what they can and cannot do with respect to sensitive information.
  • Define how users are permitted to represent the organization, what they may disclose publicly, and how they may use organizational computer resources for personal purposes.
  • To clearly define protective measures for these special information assets. The existence of a policy may be a decisive factor in a court of law, showing that the organization took steps to protect its intellectual property.
  • Define both acceptable and unacceptable behavior. For example, spending a lot of time surfing the web and downloading videos off the net are both generally unacceptable.
  • Policies are needed to establish the basis for disciplinary action, up to and including termination.

Building an Effective Information Security Policy Architecture does a good job of showing the reader how to start from scratch and build their security policy infrastructure. The book starts off at a high-level about the need for policies, and then goes into details on how to develop, write and sell these policies to management. 

The book is a good guide to the entire policy lifecycle, and how to use various means to get to the ultimate goal. At 340 pages, the first ten chapters comprise 155 pages and deal with creating the policy infrastructure, communicating with management, and putting the entire policy puzzle together. The final 185 pages comprise 21 appendices of various examples of different policies. 

A most significant downside and frustrating part to the book is that there is no CD-ROM with it, or companion website in which to download and use the numerous policy and process examples. At $80.00, such an option should be de rigueur. The lack of electronic versions of the policies in a book such as this is senseless. 

Also, this is the first technology book that I have ever seen that did not cite a single reference. It is hard to imagine writing a book on this topic without using some sort of external reference. While the author may not want to quote sources, she should at least point the reader to other sources of information about security policies. Two notable and essential sources in the information security policy space are the SANS Institute - SANS Security Policy Project, which is free, and Information Security Policies Made Easy from Information Shield, Inc., which is $795.00, but worth every penny for a serious security policy effort. Full disclosure: I am on the Information Shield Expert Panel, but get no financial incentives or compensation. 

Overall, Building an Effective Information Security Policy Architecture is a good resource to use if you are tasked to create or modify your organizations set of information security policies. The book will likely find itself on the desk of many information security professionals. 

While it is frustrating that the book makes you reinvent the wheel by not having electronic versions of the policies, its value still can't be underestimated. Let's hope future versions of the book will fix that anomaly.

Ben Rothke

Senior Information Security Manager, Tapad

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs