Focus and simplicity are key to developing and implementing companywide information security policies, according to IT managers at a panel discussion at the Infosec World conference in Orlando this week.
"Pick your battles," said Anish Bhimani, the chief information security officer at JPMorgan Chase & Co. He urged companies to "be crystal clear what your objectives are" and spell them out in a policy that is easily read and understood by other workers.
Bhimani also stressed that companies should avoid developing a laundry list of overly specific compliance items that will be hard to enforce.
JPMorgan Chase for instance, has adopted a relatively short list of "must comply with" information security policy items that encapsulate the company's high-level data protection goals. It also has implemented a broader set of "should comply with" items that are a bit more of a stretch, he said. "One of the things to consider is how many controls are you asking people to comply with. Just focus on the things that matter."
"By definition, policies are mandatory" and should only include items that absolutely must be complied with, said Charles Pask, managing director of ITSec Associates, a consultancy in Leicester, England. The specific standards and controls needed to comply with official policies should then be implemented as part of an overall risk assessment program, he said.
Sandy Bacik, corporate security officer at Tekelec, a provider of telecommunications services, said that information security policies should guide behavior and need to be separate from broad security standards and guidelines. For example, a company could have an enterprise policy requiring business units to protect their information assets based on the importance of that information to the business. A guideline around this would probably inform information owners about the need for strong access controls, while a standard would mandate the need for them to use strong passwords, she said.
Policies should be high-level enough to remain relevant over a period of time and need to be "technology-agnostic," Bhimani said. "The point is you can't mandate the use of a specific technology in a policy" without losing the flexibility to accommodate change quickly, he said.
Security policies also need to be easily enforceable to be effective, said Philip Maier, vice president of the information security, emerging technology and network group at Inovant, Visa International Inc.'s IT unit. Therefore, it's a good idea to vet all policies with an enforcement group and subject matter experts to make sure there's a realistic way for them to be enforced, he said.
For multinational companies with global operations, writing security policies that retain the same meaning across different languages can be a challenge, Pask said. A policy written in English for instance, can often lose some of its original meaning in translation, he said.
Similarly, it's important to recognize that words and phrases that are acceptable in the U.S can create problems elsewhere, Maier said. Inovant, for instance, had to replace references to "master" and "slave" systems in one of its policy requirements after the words were found to be objectionable by employees in the company's Asian operations, he said.