Creating new information security policies is one of the easiest steps in the process, that is if the policies are clear, concise, and well written. Even when the policies meet the previously stated properties they may still fail to be successfully implemented. During our course we reviewed some of these challenges to consider when implementing information security policies, many of which I have experienced in my career in the IT field. One of the first issues is often quickly discovered when anyone outside of the policy creation team reviews the process of policy creation.
When creating new policy, the requirements flow down from the top of the company and must be there to protect or meet business needs. This means that the senior leadership of the organization must support and enforce the policies, so we must have executive buy-in. This requires that we let executives know:
The policy specifies what data is protected, who has access, and what kind of access they have, and the objective states what the policy achieves, for example, in information access policies we may only want authorized people have access to certain types of data. The requirements then must have a way to reliably identify people or measure the objectives, say to protect our data from unauthorized people. Until finally, the technical controls enforce the objectives by using password mechanisms, and encryption to protect sensitive data. The policy also determines who is responsible for following the policy and what, if any, the consequences are if they do not.
This last point is often used ad nausea, which is often the "stick" vs the "carrot" approach. Incentives for following policies are overlooked as a way to insure implementation is successful. This is one of the first ways to overcome policy implementation issues of non-conformance. These type of implementation issue is a non-technical one, a human one, if you will. Alotaibi et all share in their abstract that "non-compliance with information security policy is one of the major challenges facing organisations. This is primarily considered to be a human problem" (Alotaibi, Furnell, & Clarke, 2016). Thus, we must ensure these issues for humans are addressed, especially in distributed environments and/or offices by considering the various user types (different roles/goals/security knowledge/levels of control), and organizational challenges such as supervisors having to manage a lot of people.
Technical hindrances to policies include addressing distributed (infrastructure, IT Expertise), as well as outdated technology, and a lack of standardization throughout the IT infrastructure. Each of these can be addressed by first identifying where and to whom policies are applicable and distributing them to the correct leaders, ensuring that the policies are aligned with the technology, and standardizing technologies used in the organization.
References
When creating new policy, the requirements flow down from the top of the company and must be there to protect or meet business needs. This means that the senior leadership of the organization must support and enforce the policies, so we must have executive buy-in. This requires that we let executives know:
- the level of commitment asked of their teams
- how policies impact their current environment
- what value the policy brings to them; i.e. what risks does the policy address
- how success can/will be measured
The policy specifies what data is protected, who has access, and what kind of access they have, and the objective states what the policy achieves, for example, in information access policies we may only want authorized people have access to certain types of data. The requirements then must have a way to reliably identify people or measure the objectives, say to protect our data from unauthorized people. Until finally, the technical controls enforce the objectives by using password mechanisms, and encryption to protect sensitive data. The policy also determines who is responsible for following the policy and what, if any, the consequences are if they do not.
This last point is often used ad nausea, which is often the "stick" vs the "carrot" approach. Incentives for following policies are overlooked as a way to insure implementation is successful. This is one of the first ways to overcome policy implementation issues of non-conformance. These type of implementation issue is a non-technical one, a human one, if you will. Alotaibi et all share in their abstract that "non-compliance with information security policy is one of the major challenges facing organisations. This is primarily considered to be a human problem" (Alotaibi, Furnell, & Clarke, 2016). Thus, we must ensure these issues for humans are addressed, especially in distributed environments and/or offices by considering the various user types (different roles/goals/security knowledge/levels of control), and organizational challenges such as supervisors having to manage a lot of people.
Technical hindrances to policies include addressing distributed (infrastructure, IT Expertise), as well as outdated technology, and a lack of standardization throughout the IT infrastructure. Each of these can be addressed by first identifying where and to whom policies are applicable and distributing them to the correct leaders, ensuring that the policies are aligned with the technology, and standardizing technologies used in the organization.
References
- Alotaibi, M., Furnell, S., & Clarke, N. (2016). Information security policies: A review of challenges and influencing factors. 2016 11th International Conference for Internet Technology and Secured Transactions (ICITST). doi:10.1109/icitst.2016.7856729