A security policy should be no longer than is absolutely necessary. Some believe that policies are more impressive when they fill enormous binders, or contain hundreds or thousands of policies. In fact the sheer amount of information in those policies is what makes them useless. Brevity is of the utmost importance.
- A security policy should be written in “plain English.” While, by nature, technical topics will be covered, it is important that the policy be clear and understood by the target audience for that particular policy. There is never room for “consultant-speak” in a security policy. If there is a doubt, the policy should be written so that more people can understand it rather than fewer.
- A security policy must be consistent with applicable laws and regulations. In some cases there are laws that apply to a company’s security practices, such as those covering encryption. Some states have specific disclosure laws and some industries have specific regulations. Research and become familiar with any regulations or laws that apply to your company’s security controls.
- A security policy should be reasonable. The point of this process is to create a policy that you can actually use rather than one that makes your company secure on paper but is impossible to implement. Find a middle ground in the balance between security and usability that will work for you.
- A security policy must be enforceable. A policy should clearly state what actions are permitted and what actions are in violation of the policy. Further, the policy should spell out enforcement options when non-compliance or violations are discovered.
For more information visit www.InstantSecurityPolicy.com.
