This article provides an overview of the benefits, issues and steps involved in developing an organizational security policy.

Introduction

The first step in developing an organizational security system is to design a comprehensive security policy. A security policy is the organization’s "bible" on what resources are protected, how they are protected (that is, the security controls in place), who administers the protection and how the organization should respond to attempted or actual breaches of security.

Benefits of a Security Policy

A security policy is a document that contains the following details:

• The assets to be protected
  
• How each asset is to be protected
  
• Who is responsible for protecting each asset
  
• How to respond to security breaches
  

Designing a security policy is a valuable process in itself. This is because it involves carefully thinking through important security issues. Identifying the assets to be protected also involves evaluating the true value and priority of each asset.

Once a given asset has a "value" you can apply a risk factor (probability of a security breach x expected loss from that breach) and then work out how much money you should allocate to protecting that asset. You are then better able to evaluate the costs and benefits of various security controls.

In addition, a security policy is something you can turn to with confidence in the case of a security breach. Instead of scrambling for help in an emergency situation, your policy will already contain practices and procedures and contact details of important employees and external parties (security consultants, law enforcement agencies).

A security policy should reflect the organization's "best practice" and accumulated knowledge of security. It negates the need to "reinvent" the wheel every time a new security officer, system administrator or office manager is appointed. It also frees the organization from reliance on third party consultants for security guidance (although it should "pick their brains" during conception). It facilitates systematic and comprehensive day-to-day security management and clearly outlines what needs to be done in the event of a crisis.

However, it is essential that you regularly revise, update and enhance your security policy! This is especially the case if security audits, tests or incidents bring to light problems that the original policy did not address.

Issues in Developing a Security Policy

In general, the larger the organization (200 people or more) the more vulnerable it is to a breach of security. This is because there are an increased number of "security variables" - factors - ranging from people to assets to environments - that are difficult, if not impossible, to control. Hence, the larger the organization the greater the need for a person whose full-time role is maintaining and administering the security system. In very large organizations (500 people or more), a security team or department is generally needed.

The security officer or manager should not be solely concerned with information technology security - although that will inevitably be a large part of his or her job. He or she should take a holistic approach to organizational security. An organization is a dynamic network of processes, communication channels and resources. At any given time, certain weaknesses will emerge in one area that may affect or extend to all or some other areas. Hence, a broad view of the organizational organism is necessary in order to watch for, and eliminate, any weak links.

Of course, those security professionals who report to the security officer may be responsible for specific areas of security. Alternatively, different aspects of security will be kept separate from each other and have different lines of reporting. Site security and safety officers are commonly appointed to deal with physical risks and may not report to the security officer. For instance, in many organizations the system administrator is expected to administer and maintain the security of the information system. However, he or she is generally not expected to ensure the security of non-information system assets or resources. Site security and safety personnel will be appointed to look after physical security and safety respectively.

Small Organizations

Smaller organizations (less than 100 people) may not have a system administrator or information technology department at all. These roles may be sub-contracted to a consulting company on a regular or irregular basis.

As more organizations, especially small and medium organizations (100 people or less), become more reliant on computer technology, the greater is the need for someone to take responsibility for information system security. This has become critical since the increased use of the Internet.

This job may be relegated to the Office Manager. If that is the case, it is essential for the Office Manager to undergo a training course that covers the essentials of organizational security. Secondly he or she should be given the authority and support from senior management to undertake security responsibilities. Finally, he or she should establish a "lifeline" with a qualified security consulting firm to assist him or her with developing or maintaining the security system, or at least with dealing with an attempted or actual security breach.