I have found that not everyone has considered the role of security policy in an organization’s information security management program. Therefore, I will share some of my insights with the hope that it will help others articulate it to their organizations.
A Security Policy is a written document that states management’s intentions with regard to a particular aspect of security. Take, for example, a policy on passwords. The policy may state at a high level that passwords are to be protected, unique, and of a sufficient strength. Based on the policy, additional documents such as procedures and guidelines may be created, but it is the policy that creates the foundational basis for the other documents that get created out to carry out the management expectation.
This is why an auditor will want to start with the organization’s security policies. Auditors are looking for evidence that the management understands the compliance requirement and has codified it with a corresponding policy. Of course, they will then go on to look for additional evidence that the policy was implemented by looking for other artifacts.
Above and beyond the role that policy plays in an audit, the policy also creates a mandate for the organization. If the policy was important enough for the management to write it down and to approve it, then the folks who are charged with executing the policy can reasonably expect management support as needed when enforcing it.
As a security professional, I am often asked whether something is “okay from a security perspective.” The last thing that I would want is my decision to be perceived as arbitrary; therefore I look to our security policies for guidance. Security policies should capture the organizations past learning about what needs to be done to keep the organization secure and should be refined over time to reflect the changing needs of the business and the increasing maturity of the information security management program.
Security Policies generally deal with the “what” and the “why” and leave the detailed “how” to corresponding procedures. Procedures, while still mandatory, may not require the same high level of executive approval and generally get into technology or implementation details that are not appropriate for a policy. Guidelines are not mandatory, but are useful to show one or more ways of how to achieve compliance with a policy.
If an organization’s policies are complete and comprehensive, security awareness becomes simply a matter of making sure that everyone is aware of the organization's policies and the consequences and business risks of not following the policies. After all, what organization does not want to “say what they do and do what they say?”