Effective Security Policy Management – Part 3

Part 3. Defined Management Structure

To help keep information security policies readable and manageable, it is important to keep the information “level” consistent among the various document types. In other words, it is not advisable to mix policies, procedures, standards and guidelines into your policy documents.

An effective approach is to create a policy governance structure, which breaks information into separate documents for policies, standards and procedures. For example, a Password Policy would state the high-level organizational goals to create and maintain strong passwords. It can refer to a Password Standard document which defines the detailed controls that make up strong passwords, such as password length, complexity and history.

Keeping these structural elements separate allows an organization to update standards and procedures as new technologies or processed are introduced, while updating higher-level policy documents less frequently.

Another high-level management structure is to organization documents into groups based on subject matter. For example, many organizations are managing their information security programs based on ISO 17799:2005. A defined management structure with a naming convention for each category can organize documents by subject matter, allowing easy mapping to various control categories. These same subjects can be the “folders” for organizing documents on an intranet or common server.