Security Policy Development Process

The following Information Security Policy Development Process is designed to offer a speedy breakdown of the most important actions of this particular development, refinement, and acceptance associated with a company information security policy document.

Many of the following steps can be pursued simultaneously or perhaps in an order distinct from the next:
Perform a risk assessment or information technology audit to determine your organization’s unique information security needs. These needs must be addressed in a policy document.This Will Clarify what the word “policy” means within your organization so that you are not preparing a “standard,” “procedure,” or some other related material.

1. Convince management that it is advisable to have documented information security policies.

2. Identify the top management staff who will be approving the final information security document and all influential reviewers.

3. Collect and read all existing internal information security awareness material and make a list of the included bottom-line messages.

4. Conduct a brief internal survey to gather ideas that stakeholders believe should be included in a new or updated information security policy.

5. Examine other policies issued by your organization such as those from Human Resources management, to identify prevailing format, style, tone, length, and cross-references. The goal is to produce information that conforms with previous efforts.

6. Identify the audience to receive information security policy materials and determine whether they will each get a separate document or a separate page on an intranet site.

7. Ensure that roles and responsibilities related to information security are clarified, including responsibility for issuing and maintaining policies.

8. Determine the extent to which the audience is literate, computer knowledgeable, and receptive to security messages. This includes understanding the corporate culture surrounding information security.

9. Decide whether some other awareness efforts must take place before information security policies are issued. For example, one effort might show that information itself has become a critical factor of production.

10. Using ideas from the risk assessment, prepare a list of absolutely essential policy messages that must be communicated. Consult the policy statements as well the as policy templates found 0n this site.

11. If there is more than one audience, match the audiences with the bottom-line messages to be communicated through a coverage matrix. For more information, see Chapter 2, “Instructions.”

12. Determine how the policy material will be disseminated, noting the constraints and implications of each medium of communication.

13. Review the compliance checking process, disciplinary process, and enforcement process to ensure that they all can work smoothly with the new policy document.

14. Determine whether the number of messages is too large to be handled all at one time, and if so, identify different categories of material that will be issued at different times.

15. Have an outline of topics to be included in the first document reviewed by several stakeholders. An information security management committee is the ideal review board.

16. Based on comments from the stakeholders, revise the initial outline and prepare a first draft, extracting policies as needed from this book.

17. Have the first draft document reviewed by the stakeholders for initial reactions, presentation suggestions, and implementation ideas.

18. Revise the draft in response to comments from stakeholders. Expect this step to repeat several times.

19. Request top management approval on the policy. Changes may be necessary, in which case this step may repeat several times.

20. Prepare extracts of the policy document for selected purposes. For example, for a form signed by users receiving new or renewed user IDs and passwords.

21. Develop an awareness plan that uses the policy document as a source of ideas and requirements.

22. Create a working papers memo indicating the disposition of all comments received from reviewers, even if no changes were made.

23. Write a memo about the project, what you learned, and what needs to be fixed so that the next version of the policy document can be prepared more efficiently, better received by the readers, and more responsive to the unique circumstances facing your organization.

24. Prepare a list of next steps that will be required to implement the requirements specified in the Information Security Policy Development Process and concluding information security policy. This can include the development of an information security architecture, manual procedures documents, and technical information security standards, and acquisition of new products, hiring new technical staff, and other matters.
Our premium information security policy package will save you weeks and thousands of dollars in resources. This package contains everything you need to get you going on your policy implementation.