Melding the Management view

Management, Business, Information

Management’s role is to focus on the conduct business using the information it has on hand and to generate results. Not all the information or data that management uses would be public or completely private. Senior management should study the types of data that they deal with and how that data helps them make decisions.This would then lead to the development of an Information Classification policy. There would be a need to provide an appropriate guide to information handling. As a supplment an easy flowchart or matrix would be helpful for most end-users.

Governance Framework

All internal stakeholders at various levels should be able to share their views on the proposed information security policies. One way to do this is to have a cross-functional team review the draft policies. These may then be endorsed or approved as necessary. Depending on the size of the organisation this could be 2 to 3 levels of review. Managers/business heads should have a chance to understand how the policies will shape the organisation in the future. As each policy traverses the chain it may be necessary to highlight examples that prove the necessity of key policy statements and how the policy will help safeguard the business.

Information Security Framework Baseline

Work out the baseline framework for the Information Security Policies. Usually, the ISO27000 set of standards (www.iso.org) work well. Alternatively, ISACA (isaca.org) has a framework for the governance and management of enterprise IT. This needs further refinement with management support to derive the overall policy outline. Having a set of policies based around a standard also helps gain the confidence of auditors and external stakeholders. The information security policies must aim to cover the organisation based on organisation processes. One should have a policy that has a few simple mandates rather than an all encompassing one that only a few observe.