Creating an enterprise IT security policy is generally a process that the IT department takes on exclusively; a natural choice since the IT department understands IT requirements best. However, creating policy in a vacuum often yields guidelines that are unworkable for business units because controls are too stringent. To ensure that the strictness specified by the policy works for everyone, IT and the lines of business must develop the policy together.
This note outlines four steps with which to build a policy that has a stringency level that is acceptable to both IT and the business:
- Establish baseline stringency.
- Collaborate to establish final stringency.
- Publish policy drafts often and solicit feedback.
- Increase stringency slowly over time.
Working in this manner may not allow IT to get the level of risk mitigation it wants on day one, but it will ensure that some risk mitigation occurs immediately with a strong likelihood that enhancements can and will be made over time.