Smart Tips for Information Security Policy Design Process
(Authored by Ullas Tharakan)

A policy design should follow a well thought of process. The following steps are considered to arrive at the process.

· Choose the policy development team.
· Designate a person or “body” to serve as the official policy interpreter.
· Decide on the scope and goals of the policy.
(Scope should be a statement about what is covered by the policy.)
· Decide on how specific should be the policy.

All people affected by the policy should be provided an opportunity to review and comment on the policy before it becomes official.

· Unrealistic for large organizations.
· Often difficult to get the information out and ensure people read it.
· Incorporate policy awareness as a part of employee orientation.
· Provide refresher overview course on policies once or twice a year.

While creating the policies and processes, one must keep in mind that policies should be:

· Be implementable and enforceable.
· Be concise and easy to understand.
· Be a balance of protection with productivity.
· Be updated regularly to reflect the evolution of the organization.


Policies should:

· State reasons why policy is needed.
· Describe what is covered by the policies - whom, what, and where.
· Define contacts and responsibilities to outside agencies.
· Discuss how violations will be handled.

Determining Level of Control

· Security needs and culture play major roles.
· Security policies MUST balance level of control with level of productivity.
· If policies are too restrictive, people will find ways to circumvent controls.
· Technical controls are not always possible.
· Must have management commitment on level of control.