Q13 Security Policy Development

Question 1

Who should be involved in making a security policy and why?

Answer 1

Involvement in Security Policy Making:
* Purpose of a Security Policy: A formal statement outlining the rules for users accessing an organization’s technology and information assets. It serves as a primary defense layer and informs users and staff of their security obligations. A good policy must be implementable, acceptable, enforceable, and define responsibilities.

Key Stakeholders and Their Roles:
◦ Site Security Manager: Responsible for the overall security posture of the organization. They bring expertise in security risks, controls, and best practices and ensure the policy aligns with security goals.
◦ IT Technical Staff: Those who manage and maintain the network and systems (system administrators, network administrators, security analysts). They provide crucial input on the technical feasibility and implications of the policy rules, the tools available for enforcement, and potential technical challenges.
◦ User Representatives: Individuals or groups representing the end-users of the systems and resources. Their involvement is vital to ensure the policy is practical, understandable, and acceptable to the people who must follow it. They can highlight potential impacts on workflows and provide feedback on usability.
◦ Security Incident Response Team (SIRT): If such a team exists, they provide insights based on past security incidents, common attack vectors, and observed user behavior. This practical experience helps ensure the policy addresses real-world threats and vulnerabilities.
◦ Responsible Management: Senior leadership and managers. They are essential for defining the acceptable level of risk, prioritizing security efforts, allocating necessary resources for policy implementation and enforcement, and providing the authority to make the policy official and mandatory. They ensure the policy supports business objectives.
◦ Legal Counsel: Lawyers advising the organization. They are necessary to ensure the policy complies with all relevant laws, regulations, and contractual obligations (e.g., data privacy laws). They also ensure the policy is legally sound and enforceable.

Why Broad Involvement is Necessary: Involving these diverse groups is critical for creating a security policy that is:
◦ Comprehensive: Covering technical, operational, user, and legal aspects.
◦ Effective: Technically implementable and addresses relevant threats.
◦ Usable: Practical and understandable for the people who must adhere to it.
◦ Supported: Endorsed by management and understood by users, increasing compliance.
◦ Legally Compliant: Meets all necessary legal and regulatory requirements.
◦ Ultimately, a security policy is a balance between risk, convenience, and cost, and input from all affected parties is needed to strike the right balance.