Security Policy Implementation

Once you’ve created your policy, you need to roll it out to your organization. Too many well-intentioned projects lose steam in this phase, so this step must be well planned and undertaken thoughtfully.


First, and perhaps most importantly, a security policy must be backed by your company’s senior management team. Without their support, the cooperation needed across departments will likely doom the implementation. Department heads must be involved, and specifically, Human Resources and Legal Services must play an integral part.


If the position doesn’t already exist, an Information Security Officer should be designated at your company who is responsible for implementing and managing the security policy. This is sometimes not practical at smaller companies, but regardless, one person, who has the authority to make executive decisions, needs to own and be accountable for your company’s security policy.


Remember that your security policy must be officially adopted as company policy. It should be signed off on and recorded in the same way your company makes any major decision, including full management approval.


Go through each policy and think about how it will be applied within the organization. Make sure that the tools are in place to conform to the policy. For example, if the policy specifies that a certain network be monitored, make sure that monitoring capabilities exist on that network segment. If a policy specifies that visitors must agree to the Acceptable Use Policy before using the network, make sure that there is a process in place to provide visitors with the Acceptable Use Policy.


User education is critical to a successful security policy implementation. A training session should be held to go over the specific policies that will impact users, as well as provide basic information security awareness training. Often, users create security issues because they simply don’t understand that what they are doing is risky or not permitted.


Users must be provided any user-level policies, and must acknowledge in writing that they have read and will adhere to the policies. If possible, coordinate this with Human Resources so that the policies can be included with any other HR documents that require a user signature.


No matter how well thought out, no policy will be 100% applicable for every scenario, and exceptions will need to be granted. Exceptions, however, must be granted only in writing and must be well documented. It should be made clear from the outset that the policy is the official company standard, and an exception will only be granted when there is an overwhelming business need to do so.