Benefits
Policies provide a framework within which to define roles and responsibilities, to formulate and justify any regulations and to make explicit the organization’s attitudes towards any actions that threaten its assets. They are sometimes described as “Management’s instructions as to how the organization is to be run”.
Overall the policy must define the place that information security plays in supporting the mission and goals of the institution.
Developing a security policy is the first step to improving your organization’s security stance.
[ Back to top ]
Specific Reasons & Benefits
- Demonstrate Management Support
- Give security staff the backing of management in further security activities
- Demonstrate a Commitment to Security
- Showing customers that your organization cares about protecting their information.
- Preventing the negative press that can result from security breaches,
- Protect Investments
- Reducing the number and extent of information security breaches. The sooner a breach is identified, the lower the cost of addressing it will be. Direct costs (e.g., cost to recover data lost or altered during an incident, cost to notify customers of breaches, fines for non-compliance) and indirect costs (e.g., lost customers, lost productivity, time spent investigating/resolving breaches and hoaxes) will decrease.
- Reducing systems’ costs by allowing control measures to be designed into systems rather than adding them to installed systems. (It is significantly more expensive to retrofit a control than to design it into an application or system.)
- Providing savings through coordination and measurement of all security awareness, training, and educational activities while reducing duplication of efforts.
- Provide better protection for assets by
- Helping employees recognize and respond appropriately to real and potential security concerns.
- Providing fresh, updated information to keep your staff current on new risks and what to do about them.
- Making employees, contractors, and business partners aware that the data on their computers and mobile devices (PDAs, thumb drives, smart phones, etc.) are valuable and vulnerable.
- Form the basis for budget and staffing
- Establish a comparison point against cost of losses and non-compliance.
- Establish sponsorship for projects to build out security infrastructure to achieve acceptable governance.
- Establish expectations for spending on security for new revisions to technology operations and business operations.
- Form a baseline against which progress can be measured
- Demonstrate effectiveness of security measures
- Justify effort and cost
- Form the basis for a continued improvement cycle
- Establish Communication Paths
- Motivate employees, contractors, and consultants to improve their behaviours and incorporate security concerns into their decision making.
- Rewarding good security behaviour
- Coordinate Activities
- Declare a corporate goal for operations and projects to meet.
- Authorize a governance and gating change management board.
- Declare ownership of information assets.
- Assure Consistent Implementation of Controls
- Create a standards body and means for churning technology from emerging technology through to evergreen status.
- Declare a compliance standard based on industry or open standards, tailored to the organization.
- Authorize an audit practice with organization wide access and consistency.
- Avoid Liability
- Reduce the potential for fines and mandatory audits by improving overall compliance
- Reduce the potential for lawsuits by demonstrating a corporate concern for security and a process for ensuring that the workforce will provide adequate protection for information assets entrusted to its care
- Reduce C-level executives’ exposure to prosecution by ensuring that they understand that they are legally responsible for the integrity of the organization’s information ass
- Demonstrating compliance with regulations that require information security awareness and privacy training
- Demonstrating effort to protect both corporate information and customer personal and financial information
- Facilitate disciplinary or legal action by having process for documenting the requirements and individual’s acknowledgment of the security policies.
- Manage Risks
- Declare a risk appetite reflecting corporate identity.
- Document the goals of risk management.
- Authorize a risk management role and accountability.
- Establish a strategy for reviewing and managing risks for core functions: financial, operational, reputational & regulatory, technology and data.
