Workplace infosec policies


Protecting information in the workplace is such a broad brief that we're working on 4 policy templates for the July awareness module:
  1. Workplace information security policy - concerns the need to identify and address information risks wherever work is performed, and wherever valuable information exists (not just at the office!).  This is an update to our 'office security policy'.

  2. Information retention policy - the timescales for retention and/or the criteria for disposal, of information should be specified when it is classified, along with the security requirements for safe storage, communications and access.

  3. Information disposal policy - when information is no longer required, it may need to be disposed of securely using forensically sound techniques.

  4. Information classification policy - updated to reflect the need to specify retention and destruction requirements where applicable (e.g. if mandated in laws, regulations or contracts).
Several other information security policies are also relevant - in fact virtually all of them - but if we attempted to promote them all, the key awareness messages would be diluted and lose their impact.  Even citing all the relevant policies from those 4 would become unwieldy, so instead we pick out those few that are most important in this context.

This situation illustrates the value of a coherent and integrated suite of information security policies, designed, developed and managed as a whole. Having personally written all our policies, I appreciate not just what they say, but what they are intended to achieve and how they inter-relate. At the same time, I'm only human! Every time I review and revise the policies, I spot 'opportunities' ranging from minor readability improvements to more substantive changes e.g. responding to the effects of BYOD and IoT on information risks. Revising a policy is also an opportunity to refresh the accompanying security awareness materials, reminding everyone about the topic.

Given that the landscape is constantly shifting around us, policy maintenance is inevitably an ongoing task. So when was the last time you checked and updated yours?

Hinson tip: sort the policy files by the 'last updated' date, and set to work on at least checking the ones that haven't been touched in ages. It's surprising how quickly they become limp, lackluster and lifeless if not actually moldy like stale bread.


PS  If you have to scrabble around just to find all the policies before sorting them, well the learning point is obvious, isn't it?

PPS  No, I think it's a daft idea to have a policy on policy maintenance!