Chapter 3. Policies

Policies are one of the less glamorous areas of information security. They are, however, very useful and can form the cornerstone of security improvement work in your organization. In this chapter we will discuss why writing policies is a good idea, what they should contain, and the choice of language to use.

Why are policies so important? There are a range of reasons:

Consistency

Having clear policies in place should vastly reduce concerns about inconsistent approaches from day to day or between members of staff. A written set of policies reduces the need to make judgment calls, which can lead to inconsistent application of rules.

Distribution of knowledge

It’s all well and good for you to know what the policy is with regard to not sharing passwords with others, but if the rest of the organization is unaware of that policy, then it’s not providing you much benefit. Policy documents disseminate information for others to consume.

Setting expectations

Policies set rules and boundaries. When you have clearly defined rules, it becomes equally clear when someone breaks those rules. This enables appropriate action to be taken. Departments like HR find it difficult to reprimand someone because it “feels like” they may have done something wrong; identifying and dealing with contraventions is easier when the rules are well defined.

Regulatory compliance and audit

Many industries are regulated or pseudoregulated, and many have auditors. The existence ...