Good question -
In my experience, there are pro's and con's to any approach, but one
of the most inclusive (and probably most effective) means of policy
formation is creating a policy development council or a policy
subcommittee of an existing security council (preferably with
executive level representation if at all possible).
While there needs to be a point person with responsibility for
actually writing the policies, using a council or subcommittee as a
forum for discussion will ensure that all of the appropriate voices
are heard when it comes to policy development (lines of business, HR,
legal, risk management, IT, information security, physical security,
loss prevention, compliance management, internal audit, etc...).
Once the policy has been completed and approved by the council or
subcommittee, it needs to be presented to the board for their input
and signoff. In the end, your policies should be endorsed (in
writing) by your executive team. This not only helps to ensure that
everyone understands what is in the policies and why, but it also
helps to set the tone from the top.
Be careful with this kind of approach though - consensus is important,
but some key decisions (some of which may be unpopular) will be made
during the policy formation process - be sure they are the right
decisions to properly protect and enable your business.
-Brad Bemis
_____
From: Richard.Sullivan@neupart.com
[mailto:Richard.Sullivan@neupart.com]
Sent: Friday, November 11, 2005 7:54 AM
To: Cronican, John
Cc: john_blackley@dell.com; security-management@securityfocus.com
Subject: RE: Senior Management Buy-in (was Top Information Security
Management Challenges in the Enterprise Today?)
Another follow up question: Were senior management intimately
involved in writing those policies?
We often see IT departments dictating policies that executives are
liable for. It's interesting that CFOs and CEOs could potentially go
to prison over this, then delegate the entire task to people with
nothing to lose.
- Rich
"Cronican, John" <JCronican@sempra.com>
11/10/2005 12:19 PM
To
<john_blackley@dell.com>, <security-management@securityfocus.com>
cc
Subject
RE: Senior Management Buy-in (was Top Information Security Management
Challenges in the Enterprise Today?)
Hi all,
My Senior Management are very aware and understand the content of our
information security policies.
John
John G. Cronican, Jr. (BEE, MSSM, CISSP, IAM)
Sr. Infrastructure Technologist
iProtect Sempra Energy
Sempra Energy Corporate Center & Sempra Energy Utilities
10949 Technology Place
San Diego, CA 92127
(858) 613-5738 (Desk)
(619) 787-1906 (Cell)
(619) 978-2493 (Pager)
JCronican@sempra.com
-----Original Message-----
From: john_blackley@dell.com [mailto:john_blackley@dell.com]
Sent: Tuesday, November 08, 2005 10:09 AM
To: security-management@securityfocus.com
Subject: Re: Senior Management Buy-in (was Top Information Security
Management Challenges in the Enterprise Today?)
Further to Brad's excellent post on gathering success stories, I'd
like
to ask one favor (because it's an issue in which I have an interest):
When responding, can you give some indication of whether - or not -
you
believe your senior management know and understand the content of
their
information security policies?
