tISS: Security Policy Development

1. tISS: Security Policy Development (Top Tips)
2. tISS: Security Policy Development (Executive Summary)
3. tISS: Security Policy Development (Report)

Getting security policies right can be a difficult and lengthy process, with major costs attached if they prove to be ineffective or inadequate - look no further than Data Protection breach fines for evidence that security policy failure can prove expensive.

What are the most effective approaches for policy development - where should you start? What do you want the policies to do, and for whom? Is 'do the minimum allowable' the right approach? Should there be one overarching policy, or will an approach of function-responsible policies be more successful?

Finally, policy templates may be readily available via a quick web search, but they can lead to policy failure - if the policy does not have a good 'cultural fit' with the organisation implementation and adoption can flounder. But is there a way that policies can be effectively shared, to avoid the need to re-invent the wheel?

The final agenda will be developed through consultation amongst delegates, provisional discussion areas are:

• Defining what a policy should look like
  • What is the difference between a 'policy' and a 'procedure' or 'work in progress' or 'guideline'?
• How to effectively create policies
  • Policies and multiple compliances
  • Use of Frameworks
  • How detailed should you be?
  • Auditor validation of policies
• Defining the style or approach that best suits your organisation, will carry weight and will lead to the right type of activity and behaviour
  • Cultural fit
  • Use of language and effective communication style
• Measurability, and ensuring ROI is delivered