Effective Security Policy Management – Part 7

Part 7. A Written Exception Process

It may be impossible for every part of the organization to follow all of the information security policies at all times. This is especially true if policies are developed by the legal or information security department without input from business units. Rather than assuming there will be no exceptions to policy, it is preferable to have a documented process for requesting and approving exceptions to policy. Written exception requests should require the approval of one or more managers within the organization, and have a defined time-frame (six months to a year) after which the exceptions will be reviewed again.

Policy exceptions can be managed within the same framework as the policy documents themselves. In other words, policy exceptions should be documented, have a clear owner, and can be organized by topic area to be clearly associated with the written policy document defining the requirements.

Automated Security Policy Management Solutions

For large organizations, following a standard of due-care for managing information security policies is a time-consuming task. The basic process of recording which of your hundreds or thousands of employees have read even one of your policy documents may consume many man-hours. Fortunately, automated policy management tools, such as the VigilEnt Policy Center (VPC) allow organizations to effectively management their written policy documents with a minimum of manpower. There are now a number of good policy management tools on the market from a variety of vendors.

An automated policy document management tool helps facilitate each of the seven characteristics. A set of robust document management features allows for easy editing, update and version control, with centralized review and publishing of documents. Role-based access control assures that only select individuals can review and approve policies for publications. Documents are given a specific window of availability that can match the effective date written on the policy. These and other customized attributes allow for very effective targeting of documents.

Within most automated tools, users are given access to a custom intranet portal that gives them access to the documents which apply to them, based on their role. More robust policy tools also allow for quizzing features to test a user’s comprehension of each policy document that have been required to read. Acknowledgement via digital-signatures allows the organization to easily record the date and time each document was read be each user.

Some products, such as VPC, allow organizations to integrate the policy “portal” into their existing LDAP-based or Windows directory structure. This integration allows easy targeting of documents based on a user’s group membership. Management reports can then be run on a regular or ad-hoc basis to determine the overall compliance level at the group or organizational level.