While an enterprise security policy is recognized as a valuable document for all enterprises, very few have one. For many, this is because they don't know how to go about creating one. Further, the cost of the exercise is often seen as potentially prohibitive. While valid concerns, these should not stop enterprises from proceeding. To that end, this note will examine the policy creation process and provide guidance as to how to proceed in an efficient and cost-effective manner.
This research note will focus on the following topics:
- Definition of the various components of a set of security documents.
- Creation of a security policy development framework.
- Appropriate sequencing of steps in the development process.
Policy can be as broad or as narrow as the company requires. At a minimum it should address IT infrastructure, data and employee access/rights, but can also include physical security and a host of other topics. Understanding what goes into a security policy and how the work can be structured will allow enterprises to move forward with policy creation projects that previously might have seemed insurmountable.