It can be said that security policies are living documents that must be frequently reviewed and revised. As organizations evolve, their security needs evolve as well. Policies written before the evolution of the organization may not adequately reflect newly developed needs. Therefore, it should be considered standard procedure to review existing security policies on a frequent basis and adapt those policies as necessary. There are several kinds of policies within an organization, and each needs to be approached with the same level of diligence.
The executive management of the organization, in conjunction with the Chief Information Officer (CIO), must draft an enterprise information security policy. This policy is a foundational policy designed to provide direction for the organization's entire security effort. It is a relatively short document that provides guidelines for more specific policies. It is important that this policy is created first, so that future information security policies can be created under its guidance. Although this policy should be reviewed on a frequent basis, it should only need to be changed if the organization changes direction or scope (Whitman & Mattord, 2009).
Issue-specific security policies are developed based on the guidelines set forth in the enterprise information security policy. These policies are created to address specific issues and provide instructions for employees to follow regarding the proper usage of technology. Issue-specific security policies should be created for each technology the organization implements. These policies must clearly spell out appropriate usage and leave no room for user error. Since technology moves so quickly within an organization, issue-specific security policies must be frequently reviewed. Unlike enterprise information security policies, these policies will require constant maintenance to ensure they adequately reflect the changing needs of technology within the organization (Whitman & Mattord, 2009).
Systems-specific security policies are similar to issue-specific security policies in that they relate to specific technologies implemented within the organization. Whereas issue-specific security policies are meant to convey appropriate usage guidelines to end-users, systems-specific security policies direct information technology professionals on the appropriate security configurations for the technology they administer. For example, one systems-specific security policy may describe how the organization's firewall should be configured, while another defines how user access should be granted on mail servers. Like issue-specific security policies, frequent review of these policies is necessary to ensure the latest security procedures are being followed (Whitman & Mattord, 2009).
Together, these policies make up a larger framework called a security program. The security program contains policies, responsible parties, and procedures to be followed to ensure the organization's information is as protected as possible (Senn, 2004). A comprehensive security program should be considered a living document just as the security policies that comprise are. Over time, the security program must adapt to fit the changing needs of the organization and the evolving technology that powers it.
Senn, J. A. (2004). Information technology: Principles, practices, opportunities (3rd ed.). Upper Saddle River, NJ: Pearson.
Whitman, M. E. & Mattord, H. J. (2009). Principles of information security (3rd ed.). Boston: Thomson Course Technology.