Effective Security Policy Management – Part 2

Part 2 of 7: Seven Elements of an Effective Information Security Policy Management Program

Effective Security Policies Part 2. Defined Policy Document Ownership

Security Policies can be viewed as contract between senior management, employees and third-parties about the ways in which the organization will protect information. By definition, a contract is between parties, and in the case of written security and privacy policies one of the parties is always senior management.

Each written security policy document should have a defined owner and/or author. This statement of ownership is the tie between the written policies and the acknowledgement of management’s responsibility for updating and maintaining information security policies. The policy author also provides a point of contact if anyone in the organization has a question about specific policies. Many organizations have written information security policies that are so out-of-date that the author is no longer employed by the organization.

Another area of responsibility that should be documented within written security policies is the executive sponsor. The executive sponsor is a C-level manager or executive that puts the final “stamp of approval” on each document. A high-level executive sponsor demonstrates to all employees that your organization is serious about information security in general, and security policies in particular. Ideally, this is the CEO or equivalent top executive within the organization. In some larger organizations, this might be the head of large region or perhaps the Chief Operating Officer. Within the requirements of Sarbanes-Oxley, senior management must actually sign a written document attesting to the adequacy of the organization’s internal controls. Written policies are a key part of these internal controls.

In some cases, the executive sponor is listed as part of each published policy document. In other cases, the sponsoring executive may issue a seperate memorandum stating the importance of information security and that following published policies is required for continued employement within the company.