Selling Management On Information Security Policies

Laws & Regulations: This post is for organizations that could use help raising the level of management awareness and support for information security policies. From the get-go, let’s be clear that this post is not for established organizations that are already far along when it comes to their information security efforts. They will have long ago sold management on the importance of, and in fact, on the critical nature of, information security policies. But small and mid-sized organizations, especially newly formed ones, often don’t yet have information security policies, nor does management in those organizations necessarily consider policies to be a priority. The first hurdle to jump over with top management involves the erroneous notion that information security policies are optional. Perhaps that was the case in certain industries back in 1980. But that’s unquestionably no longer the case. So it’s up to us technologists to show top management what they’re required to do when it comes to information security policies. Reflecting this “no question about it” status, in many situations, written security policies are now required by laws and regulations. For example, if your organization is a financial services firm in the USA, then the Gramm-Leach-Bliley Act (GLBA) requires it to have a privacy policy.

So, if you have not already done so, this is a good opportunity to speak with your organization’s lead attorney about information security. In that conversation, see if you can identify all the laws and regulations that your organization must comply with, the ones that mandate certain information security measures. Many of these laws and regulations will require policies, deeming them to be as one of the most fundamental information security control measures that an organization can adopt. This author suggests a spreadsheet as a quick-and-dirty way to organize the investigation. Some vendors also sell ready-to-go templates that give you a quick overview of the relevant laws and regulations. But even if you buy these templates, nonetheless be sure to have a conversation with the lead attorney, just to make sure that all the bases are covered.

So, let’s assume that there’s no law or regulation in your country that requires organizations in your industry to have an information security policy. What do you do then? Or what if there is a law or regulation that applies to your organization, which requires a policy statement, but top management at your organization still believes that it’s unimportant to have an up-to-date information security policy? What next in those situations?

Standard Of Due Care: The next conversation that you need to have with top management has to do with the legal notion of the standard of due care. Mind you, this author is not an attorney, so to prepare for your top management meeting, you should once again go back and see the lead attorney at your organization. In this attorney meeting, you should discuss the principles of liability, specifically what would make management liable for not having adequate information security measures. You should also attempt to define the information security related standard of due care for your organization, in your country, at this point in time. The standard of due care defines what a prudent manager is expected do, at a minimum, or from another vantage point, what is legally required of all well-managed organizations.

Beyond statutory laws and regulations, there are a number of ways to go about illuminating the standard of due care, and all of these should be pursued, with the hope that at least one of them will end up being convincing to management. You can for example reference case law, which unfortunately is not as well developed as many of us would like (the dearth of case law reflects the fact that information security is still a relatively embryonic field). By the way, one of the classic cases in this area is T. J. Hooper v. Northern Barge. On a similar note, regulatory agency guidelines or policies may make a point of requiring information security policies at the organizations they regulate.

Well-known international information security standards, such as ISO 27001, are also a good reflection of what’s generally accepted, and what goes into the prevailing standard of due care. Policies are for example a key part of the “information security management system” defined in ISO 27001. A few highly respected books, used as references by practitioners in the field of information security, can also serve as an authoritative source of information defining the standard of due care. In this category we will for instance find the Information Security Management Handbook, edited by Hal Tipton and Micki Krause (Sixth Edition, 2009). This book likewise defines policies as an essential part of every information security management effort. Published legal books, which address the requirements for information security also fit into this category. In the latter group we find Readings & Cases In Information Security: Law & Ethics by Michael Whitman and Herbert Mattford (2010). Again, security policies are highlighted as essential.

Your organization may also have an industry association that writes information security related technical standards. For example, the American Banker’s Association publishes a great deal of material dealing with information security. In one of their sponsored webinars, for example, well-known information security consultant Peter Browne spoke to the Foundations Of Information Security. Information security policies showed up there as a key ingredient to a successful information security effort. Likewise, if government agencies have issued books or pamphlets about information security, these too will often cite the need for information security policies. For example, the Federal Deposit Insurance Corporation (FDIC) in 2002 gave a presentation about e-Banking Information Security Guidelines, and that too cited the need for written policies.

Professional associations in the information security field, such as the Information Systems Audit & Control Association (ISACA), have also issued relevant publications such as COBIT: The IT Governance Framework (use Version 5, 2010). This highly respected reference again makes the case why information security policies are an essential component of all successful information security efforts. There are other definitive sources you could consult, such as a list of security requirements that all organizations must have in order to join a multi-organizational business network. Dig around, and you will often find that information security policies are a requirement for joining such automated business networks. Keep going with the reference gathering effort, because sometimes management will only be convinced when a long list of these references is presented to them.

Role Of Security Policies: While it is beyond the scope of this posting to go into the many and varied roles to be played by information security policies (see for example the post entitled “The Security Policy Hierarchy: A Governing Policy & Subsidiary Policies”), it is important that management understand how critical information security policies are. For example, they need to know how policies are at the apex of a pyramid of documents that guide and focus internal efforts. They need to know how policies can help save their neck when there is an allegation of unfair treatment after someone was fired because they violated a security-related rule. So make a long list of how policies support and buttress information security work, and show how policies are on the critical path to moving ahead with many other related efforts. For example, if policies have not yet been written, it will be very hard for management to successfully negotiate an information systems outsourcing contract with a third party service provider, because written policies will need to be incorporated into the agreement with an outsourcing firm.

Risk assessment: While there are other ways to convince management to support and fund an information security policy development effort — ways that go beyond the amount of space available in this post — this author will just mention one more approach. This involves performing an internal risk assessment, where all the major risks and vulnerabilities are examined. By performing such a risk assessment, top management obtains a clear snapshot of what the story is, right now. If policies have not yet been prepared, no doubt that fact will be highlighted in the risk assessment. You can then embellish on the findings of the risk assessment, by writing a memo about what would happen if policies are not promptly written and disseminated via awareness raising efforts. Both of these documents put management “on notice” (a legal term), where they are now in receipt of a report about a serious problem, and they need to do something about it. Doing something might be deciding that they aren’t going to do anything, but that’s still a decision. You have put them on the spot now, and they can’t ignore the matter any longer. You have gotten it in writing so that there’s no dispute about it, if (heaven forbid), you should ever be up there on the witness stand. You have passed the buck, and management should be uncomfortable about that, that is until they move ahead with the policy development and dissemination effort.

Still Required: In 2011, it’s surprising that there are still many organizations that don’t have an information security policy that is both responsive to their current situation and up-to-date. With all that we know about information security risks, this should be a no-brainer. Hopefully staff at these organizations will soon convince top management to support and fund an information security policy development, dissemination, and implementation effort.


Charles Cresson Wood, MBA, MSE, CISA, CISM, CISSP, is an independent technology risk management consultant with InfoSecurity Infrastructure, Inc., in Mendocino, California. His latest book is entitled Kicking The Gasoline & Petro-Diesel Habit: A Business Manager’s Blueprint For Action (see He can be reached via