The IT security policy framework is the foundation of an organizations information security program. The framework consists of a library of documents, but is just not a collection of documents. The framework and its documents are used to build an organizations processes, determine appropriate technologies to use, and lay the foundation for policy enforcement. The framework is a way for management to communicate the importance of information security to the rest of the organization.
Typical business areas commonly involved with policy framework include; development, maintenance, and compliance. Some of the common roles associated with policy framework include; Chief Information Security Officer (CISO), Information Resources Manager, and Security Manager.
The SANS Reading Room publication; Information Security Policy – A Development Guide for Large and Small Companies, describes a guideline rather than specific roles. The guideline describes a two-part structure consisting of primary involvement members, and secondary involvement members.
Primary Involvement:
- Information Security Team. The team or parts of the team should be assigned overall responsibility for developing framework, and policies. Overall control is normally given to a designated member with others in supporting roles as needed. The primary team guides policy framework and policy from development through to revision as the cycle dictates.
- Technical Writers(s). Many companies have technical writers on staff. Even though they probably will not take an active role in development, they can be an invaluable resource when it comes to planning and structure of the project.
Secondary Involvement:
- Technical Staff: In addition to security staff, it is probable that expertise from other areas will be needed. Staff from these areas will have in-depth knowledge of day-to-day operations, and knowledgeable of technical issues in their areas.
- Legal Counsel should review policy documents when complete. They can also provide guidance on industry regulations such as the Health Information Portability and Accountability Act (HIPAA), and Sarbanes Oxley (SOX).
- Human Resources (HR) should also review all policies to ensure they comply with company HR policies.
- Audit and Compliance. Departments responsible for internal audits will likely be involved in monitoring policies. They should be involved in the development of frameworks and policies to ensure that they are enforceable.
- User Groups. During revision stages users can provide a good indication on how successful a policy has been, and what parts might need revision. They often notice where improvements can be made in style, layout, and wording.
References
Diver, S. (06, July 12). Information Security Policy – A Development Guide for Large and Small Companies. Retrieved September 7, 2017, from https://www.sans.org/reading-room/whitepapers/policyissues/information-security-policy-development-guide-large-small-companies-1331.
