Firms need structured security policies, says Gartner

Plus 'obvious consequences for non-compliance by staff'

It is essential for any business to have a structured security policy with clear language to address all levels of employees, a Gartner analyst has warned.

Speaking at Gartner's IT Security Summit in London, Les Stevens said it was crucial for businesses to start recognizing the key factors influencing the success or failure of policy management.

Many businesses failed to learn from actions that hurt the development of successful policies, he said. These included a low focus on business requirements, risk and implementation, alongside too much focus on pleasing managers and on fitting in with audit requirements -- all to the detriment of building policies specific to the business.

Another problem identified by Stevens was the lack of management support and weak communication culture in some organizations.

"What you need is clear and concise content, a clear definition of roles and responsibilities, a defined purpose, and obvious consequences for noncompliance by staff. It also needs to be in the language of the audience," he said.

"The implementation must fit within the culture of the organization, and be regularly reviewed and maintained. There have to be audits of how well the company is sticking to these policies."

It was essential to have both a hierarchy of policies and of responsibilities in implementing them, said Stevens. To implement policies, he said a top-down charter was needed, together with generic policies and more specific plans for departments, alongside non-enforced standard procedures and guidelines.

The chief information security officer and the chief executive should have responsibility for security policy development, Stevens said, while the information security committee should be in charge of the approval and implementation of that policy.

More about: Gartner

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the Computerworld comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Whitepapers
Latest Stories
Community Comments
Whitepapers
All whitepapers
Sign up now to get free exclusive access to reports, research and invitation only events.
Featured Download
/downloads/product/138/driverscanner-2010/

DriverScanner 2010

DriverScanner scans your computer and provides you with a list of drivers that need to be updated. All you have to do, then, is simply ...

Computerworld newsletter

Join the most dedicated community for IT managers, leaders and professionals in Australia