In the last six months we have fielded a number of enquiries as to how we can assist organisations ensure they have the right level of policy content in place to help them demonstrate they are working towards GDPR compliance.

In following up these enquiries it is often apparent that some of the organisations involved have struggled for years to consistently develop and deliver good IT security policies. Therefore the requirement to review existing or create new policies in the move to be GDPR compliant represents a challenge some feel unable to tackle without assistance.

Our Policy Management as a Service offering is geared to quickly develop and deploy comprehensive and appropriate organisational IT policies to users, managers and technical people. CLICK HERE to view the Service Spec Sheet.

The service addresses two primary challenges –

  • Most organisations don’t have in-house subject matter expertise to write and manage policy content that is easy to read and understand – and interestingly nobody is keen to volunteer to do this work!!
  • Once written, policies are not kept up to date and therefore don’t reflect ongoing technological, compliance or regulatory changes. Our research shows policies often remain untouched for up to 5 years after being deployed.

Using the ISO27002 set of standards, practices and controls as the foundation of the policies in our system means we have a good starting point with respect to the GDPR. Several sections of ISO27002 are directly related to key data protection, retention and breach response requirements outlined in the new regulation.

To assist organisations more comprehensively address the new regulation we have also incorporated additional policy content (and mappings) to cover personal data and personally identifiable information protection based on the ISO29151 standard. ISO29151 is designed to help organisations establish and implement the right controls to meet the requirements identified by a risk and impact assessment related to the protection of personally identifiable information (PII).

Taking out an annual subscription to the Policy Management as a Service means any organisation can demonstrate they are following best practice, are working with policies that are compliant with standards and regulations such as ISO, PCI, GDPR and that those policies reflect the use of current technologies such as Cloud Computing and Mobile Devices. All policy content is customised and branded to meet customer requirements.

To view our demonstration video CLICK HERE.

To read about how we assisted Carlisle Council with their IT Policies CLICK HERE.

To discuss Policy Management as a Service contact Sue Lal
Sue Lal – sue.lal@protocolpolicy.com
T. (mobile) 07769 338003
T. (office) 01604 709456

It’s now quicker, easier and more cost effective to address your IT Security Policy needs!

Protocol Policy Systems (PPS) and SOCTIM are pleased to announce the immediate availability of our new Policy Management as a Service offering to the UK Local Authority sector.

This cloud-based subscription service allows Local Authorities to deliver up to date IT Security Policies for all staff including technical and management roles, eliminating the overhead of creating, updating and maintaining those policies in-house.

All the hard work of gaining expert knowledge, developing and maintaining IT Security Policies to keep them current and mapped to standards such as ISO, PCI, PSN is taken care of by the PPS team on behalf of our Local Authority clients. We become you IT Security Policy partners.

As the service is provided on a fixed annual subscription basis you can predict the annual cost of ensuring this time consuming and laborious job is being taken care of by subject matter experts.

If you are facing any of the common challenges outlined below, then the PPS service offering can help you:-

Q.  Do we have someone available with subject matter expertise to do this work?

A.  Many organisations struggle to identify any staff member that chooses to do this work, or has the experience in writing good policy content that can then be mapped to international standards.

Our team of experts write policy every day for customers, ensure that the wording is in easy to understand language and is cross referenced to standards within the Protocol Policy System.

Q.  How long should it take to develop or update policies?

A.  The allocation of time and budget each year to maintain policies is often overlooked. Commonly a set of policies are developed on a “big bang” basis every 5-8 years and the investment required to do this work is significant. Once done the policies are then typically left as is and rarely maintained or refreshed until the cycle repeats itself. It is estimated that it takes over 2 years to develop a comprehensive set of policies from scratch and work out how to map them to standards.

Protocol Policy Systems typically can deliver a comprehensive suite of IT Policies in under 8 weeks (elapsed timeframe). Our consultants run a workshop with key stakeholders on site as part of the delivery process. The final system we deliver will contain policies that are customised and branded to each organisations requirements and fully mapped to standards such as ISO27002, ISO22313, ISO27017, PCI3.x etc.

Q.  How do I manage policies when standards, legislation and technologies never stand still?

A.  PPS has a team of subject matter experts constantly reviewing standards and legislation in order to reflect necessary changes and updates within the IT Security Policies.

Q.  We’ve got a set of policies for when we get audited. That should be sufficient, right?

A.  IT policies, once completed, are very often filed away at HQ and rarely seen or used. No “visibility” results in no accountability and no adherence to your desired IT Highway Code of Conduct. This is further compounded if an organisation is geographically dispersed or de-centralised.

Providing access from each users desktop to an IT Policy System means you are on the path to developing greater security awareness and understanding with your management and staff. Also access to a range of forms, logs and guidelines such as an Incident Report Form, Request for Change Form, Staff Remote Access Form and more.

Partnering with a specialist organisation in Protocol Policy Systems for an annual fixed fee will reduce your investment in establishing and maintaining a suite of IT Security Policies in house, or using a contracted resource by as much as 70%.

If you would like to arrange a gap analysis on your existing policy suite or wish to assess the costs you incur establishing and updating your IT Security Policies against our comprehensive suite of customised IT Security Policies, then please contact:

Sue Lal – sue.lal@protocolpolicy.com
T. (mobile) 07769 338003
T. (office) 01604 762992

A survey by Protocol Policy Systems, a Socitm partner company, has revealed that public sector organisations still have a lot of work to do to prepare for major changes to data protection laws.

As time runs out to comply with the General Data Protection Regulation (GDPR), the survey found that many organisations may be at risk of non-compliance, risking regulatory action and reputational damage for not getting their house in order.

The research, conducted from 11 September to 23 October 2017, revealed just 22% of those surveyed had prepared specific policies in preparation for the new law, and of that figure 52% rated their preparation as average or poor.

The findings also showed that 15% of those surveyed had managed to review and amend procedures but only 5% had updated and distributed IT policies to all staff.

As a priority activity in preparation for GDPR, public sector organisations should start by conducting a review of the current information governance framework and its suitability to address the new requirements outlined in the legislation.

The Protocol Policy Systems research revealed 73% of organisations had or are currently reviewing their framework of documented policies and procedures around specific industry standards such as ISO 27001, ISO 27002 and PCI-DSS.

Protocol Policy Systems can assist you in reviewing, updating, implementing and sharing your IT security policies with cross-referencing to industry standards to demonstrate good information governance in preparation for GDPR.

For more information about its IT policy review or policy gap analysis service, please email sue.lal@protocolpolicy.com or call 07769 338003.

It’s critical that organisations create a culture of cybersecurity awareness, according to an industry-leading expert.

Martin Ferguson, Director of Policy and Research at Socitm, says staff at all levels should be engaged and contribute to protecting their organisation from attack.

“Achieving this requires specialist skills and insight into the human factors side of the equation”, Ferguson says. “That is why it is vital to engage the HR team in helping to develop a strong cybersecurity culture and reinforcing that everyone in an organisation has a role to play.”

For advice on how to develop a cybersecurity culture, please read the latest cybersecurity update from the Socitm Advisory/Protocol Policy Systems (PPS) partnership.

Hardly a week goes by without a cyber security incident being reported either nationally or internationally. The recent WannaCry ransomware outbreak is a highly reported example of an international cyber threat with global consequences both financially and operationally that caused many organisations to assess their immediate vulnerabilities and risk profile. Wannacry has been quickly followed by the release of a similar piece of ransomware named Petya. These new threats have been giving many people sleepless nights and put a massive strain on resources to ensure that systems and data are not impacted. For the many organisations that have been impacted an expensive clean up exercise to restore systems and data has been a very unfortunate outcome.

Whilst it is important to always re-assess your processes, procedures and technology controls to mitigate against the above risk and threats, it’s increasingly important not to overlook the role your people play in security risk management and exposure. For many organisations ransomware outbreaks ratchet up the pressure on the short term operational front and make it very challenging for an already resource constrained team to maintain any consistent focus on developing strategic and proactive initiatives that drive programmatic IT security improvement for the long term.

The uncomfortable truth is that Human Factors are often ultimately the weakest link in these situations and organisations who should readily be able to demonstrate a degree of security maturity are actually very exposed.

The best place to start demonstrating your security maturity is by building a solid foundation of comprehensive IT Policies, to help establish a common standard for operational system use which also sets a solid foundation for effective control of risk as part of your Security Maturity Model.

By creating this organisational “IT highway code of conduct” users know the guidelines and rules of operation, minimising accidental data breaches and unnecessary security risks. The main objective of your information security policies is therefore to protect corporate systems and maintain data confidentiality, integrity and availability.

As IT policy management subject matter experts, Protocol Policy Systems regularly gains insights from organisations into some of the motivations and challenges associated with creating, publishing and maintaining good IT policies.

In talking with Senior Executives and their teams about the need to have good IT Policy in place, we highlight the 7 key motives below.

  • Endorse the commitment of the CEO and senior management in protecting valuable information assets – increasing stakeholder confidence in the organisation
  • Enable the organisation to meet their legislative requirements – operating to required minimum standards such as PCI-DSS, ISO27001/2, PSN and other directives
  • Help protect the assets of the business – such as infrastructure, corporate information and the users of systems
  • Provide the IT security framework for an organisation – building a Security Maturity Model for continued security improvement
  • Provide a uniform level of control and consistent guidelines for management – which helps support disciplinary procedures the cases of intentional misuse of system and breaches
  • Communicate one computer security message to all
  • Advise staff about computer security and about their responsibilities

Generally we get agreement that these points make good sense. One might assume thereafter developing and delivering IT Policies is a straightforward exercise for any organisation. The reality is unfortunately very different. We’ve highlighted below the main challenges organisations face in creating, publishing and maintaining IT policies and how a different approach may be more effective.

The Executive Sponsorship Challenge

Whilst CIO’s and IT Managers understand the importance and associated risks of not having established comprehensive and up-to-date IT policies that all users of corporate information and systems can access, it remains a challenge to raise the profile of policy management across the Executive team and attain the right level of priority, attention and investment required for effective implementation.

Canvassing Executive sponsorship should incorporate discussion around risk and the value of establishing comprehensive IT policies that are relevant and tailored to an organisation.

When done correctly IT policy management can be part of an enabling culture for the workforce, and is as much about protecting the people assets, as well at the information assets of any organisation.

Having comprehensive IT policy management practices in place demonstrates good information governance upon which procedures, processes and informed technology investments can be made.

So whilst CEO’s and CIO’s will agree in principal that IT policy management is very much required for their organisation they often struggle to reconcile the time, cost and effort to get the job done in house. Factors that contribute to this stance include lack of expert knowledge of policies, making policies relevant whilst demonstrating compliance legislation and standards, delivering policy in a simple easy to understand format for the various user levels through to the ongoing maintenance of the IT policy library to assist with audits and compliance.

The Subject Matter Knowledge Challenge

What’s the next stage once your Executive team agrees that IT policy management needs to be given some attention? Typically, you’ll look within your organisation for a suitable candidate to allocate this project to.

Unless you are fortunate to have employed an IT policy subject matter expert with lots of available time it’s more likely you’ll be tempted to allocate to another member of the IT team who may be tasked to slot it into to their existing workload. If this is the case, it won’t just be the effort and time to create policies that need to be factored into the project but the time and cost of gaining the expert knowledge to create relevant and effective IT policies.

You should also factor in the need to keep your policy author’s knowledge current so that policies are always updated and relevant. Consider a knowledge share and transfer plan in the event your “internal expert” is no longer available to maintain your policies.

The Best Practice, Standards and Legislation Challenge

An extra consideration when establishing your IT policies is your organisations governance, compliance and legislative requirements.

For example, within the UK public sector there may be a need to comply with Public Sector Network (PSN) requirements and undergo an audit exercise periodically. A similar approach is driven by the Payment Card Industry – Data Security Standard (PCI-DSS) which will be applicable to any public and private organisation processing card payments.

Many organisation build their comprehensive IT policies based on ISO27002, the industry standard for best practice for information security and the ISO22313 Business Continuity Standard. These standards provide an excellent foundation upon which organisations can start to demonstrate good information governance.

From a legislative perspective there is a pressing need for organisations to develop and deliver policy that meets the requirements of the EU General Data Protection Regulation (GDPR) which comes into effect May 2018.

As these standards and legislation continue to evolve your policy content may need to be updated. Your IT policy management expert needs to keep on top of the changes and update policies accordingly where applicable to maintain compliance and meet audit requirements.

Finding the Time

Given the above challenges it’s easy to see that IT policy management requires effort, expert knowledge and considerable time allocated to its development.

Often there is a catalyst around establishing or updating IT policies within an organisation which could trigger a “Big Bang” approach after a long period, possibly even after several years. This could be because of a security incident occurring such as the recent WannaCry event, the associated risk of fine or a pending compliance and governance audit, such as ISO27002, PCI-DSS, PSN, which highlights either the absence of IT policies or that the documented guidance content is outdated.

When the “Big Bang” happens the policy management lifecycle for creation or updating often takes several months presenting an added challenge to find suitable skilled resource to prioritise IT policy management whilst managing pending risks and any corporate reputation damage.

In instances where ”someone” has been compelled to make some “ad hoc” change or edits to keep content current,  when reviewing the content it becomes evident that process and procedural elements have “appeared” in the policy statements suggesting “the someone” is not trained in writing policy. Cross referencing to relevant Standards in the content such ISO or PCI is also often limited or non-existent.

Make IT Policies easy to find and build awareness

Despite organisations having spent anything up to 2 years creating IT policies to meet corporate objectives around information security, risk management, regulatory and auditing requirements, IT policies are initially filed away at HQ and rarely seen or used. No “visibility” results in no accountability, compliance and/or no adherence to your desired IT Highway Code of Conduct. This is further compounded if the organisation is geographically dispersed or de-centralised.

Once the Policies are in place and your IT Highway Code of Conduct is published and visible, specialists can then assist the organisation to socialise policies and deliver an education and awareness program. This will help embed the desired common guidelines and rules of operation and help minimise accidental data breaches and unnecessary security risks.

Request an IT Policy Management Cost Calculation

Partnering with a specialist IT policy organisation could reduce your investment in establishing and maintaining an IT Policy Management platform by as much as 70%.

If you would like to arrange a gap analysis on your existing policy suite or wish to assess the costs you incur establishing and updating your IT Policies against our comprehensive list of 25 customised IT Policies then please contact sue.lal@protocolpolicy.com

Please note all of our 25 policies are cross referenced to standards such as ISO27002, PCI-DSS and demonstrate your compliance to the Public Services Network (PSN) requirements

The 12 month countdown to GDPR enforcement has begun so if you haven’t started the process of reviewing its impact now is an ideal time to embrace this as a positive opportunity for your organisation to re-assess its security maturity.

Whilst many vendors are focussing on the penalties and fines associated with Personal Identifiable Information (PII) regulation breaches, there are several options to mitigate risk namely people, process and technology.

A review of Policies and Standards and their implementation needs to be a key foundational step towards meeting GDPR requirements. In doing so organisations will benefit from ensuring staff understand the sensitive or confidential nature of corporate and PII information, the associated security based processes, and be better placed to make considered technology infrastructure investments that are effective. Making “rules before tools” your mantra should help reduce cost and mitigate risk.

The ISO27k family of standards provide a good baseline to assist organisations demonstrate they have policies in place to support the requirements of the GDPR. ISO standards are not written to comply with the laws of any particular jurisdiction and there will be a need to interpret or apply the standards to support the data protection regulations. Specifically looking to the controls outlined in Annex A of the ISO27001 Information Security Management System (ISMS) and the related ISO27002 standard will provide a good starting point. There are some additional controls covered in standards such as ISO27017 and ISO27018. The latter being the Code of practice for protection of PII by public cloud service providers acting as PII processors that will also be relevant to apply.  ISO 27017 delivers some brand new security controls for personal data plus extends existing ISO 27002 controls to cover content for cloud privacy.

The privacy and protection of personal data is an area where an ISMS will need specific work so it provides extended coverage regarding PII and those who work with or manage that data as defined in the GDPR. This will help to manage the risk and the use of mitigating controls around the personal data without the need for additional similar information protection processes just for GDPR.

Examples of just some of the new additional controls introduced in ISO27018 to increase the level of protection of personal data stored in the cloud include

  • Secure erasure of temporary files
  • Recording of PII disclosures to third parties
  • Notification of data breach involving PII
  • PII return, transfer and disposal policies
  • Encryption of PII data that is transmitted over public networks
  • The use of unique user IDs for cloud customers
  • Disclosing the geographic location of stored data to the cloud customer

However, Human Factors ultimately will play a big part in ensuring an organisation does not fall foul of the new regulation in May 2018. This reinforces the importance of taking the pending GDPR directive as an ideal opportunity to re-assess your IT security policies and standards, updating them to meet current compliance requirements such as ISO27002, ISO27018 etc to demonstrate good information governance.

Having the policies documented in easy to understand non-technical language and made accessible to all staff is key along with an on-going maintenance plan to ensure the policies are always current and relevant to your organisation.

Protocol Policy Systems provide a customisable intranet based IT Policy management solution platform of around 25 key IT Policies that are cross referenced to standards such as ISO27002, PCI-DSS and full cross referencing of policies to match the Public Services Network (PSN) compliance requirements.

To review how our IT policy management platform may be adopted to demonstrate good information governance as part of your preparations for GDPR please contact sue.lal@protocolpolicy.com to arrange a time and date to schedule a demonstration or have an initial discussion with one of our subject matter experts.

Cloud based service provision under the umbrella of everything-as-a-service (XaaS) is showing signs of continued rapid growth. The most common examples of XaaS are Software as a Service (SaaS), Infrastructure as a Service (IaaS) and Platform as a Service (PaaS). Other examples of XaaS include storage as a service (SaaS), communications as a service (CaaS), network as a service (NaaS) and monitoring as a service (MaaS).

Public Sector authorities and the Third Sector are becoming more active in assessing and adopting the XaaS strategy for service delivery, but it’s not without careful and thorough consideration.

If you have had cause to assess the benefits derived from a move to cloud delivered applications and services, then you will also have augmented this work by completing a risk assessment. Most likely you have had to consider the risk of poor quality of service, poor network performance, struggled to identify tangible measurable cost savings and probably most importantly the risk factors associated with security and privacy of data.

At Protocol Policy Systems we know about these concerns because through our work in the Local Authority and Third Sector we assisted organisations commence a journey to improve their security posture. Getting foundational comprehensive IT policy content in place helps develop and improve IT users behaviour, when properly socialised.   A key benefit of this improvement is that the deployment of new services and technologies is easier and less risky.

Whether your organisation is already a consumer of “The Cloud” or is planning a XaaS adoption in the future then it is worthwhile being aware of and understanding the relevance of the ISO 27017 and ISO 27018 standards. Compliance to these Cloud focussed standards will help you raise the level of assurance you need to have in place internally, with your customers and more importantly with your Cloud Service Provider (CSP).

What do ISO 27017 & ISO 27018 cover?
ISO 27017 is a security code of conduct pertaining to the procurement of cloud services.

ISO27017 will be of interest to both CSPs and Cloud Services Customers (CSC) as it outlines compliance requirements for each. It extends the 37 existing security controls covered in ISO27002 to incorporate cloud based guidance plus adds seven new cloud based controls –

  • Responsibilities for each party – CSP and CSC – who does what?
  • Contract termination arrangements – for the removal/return of assets
  • The CSC and CSP are expected to work with each other in documenting key aspects of the cloud environment – for example the CSP needs to be able to provide information on critical operations and procedures as and when customers require it.
  • Monitoring of activity within the cloud by the customer
  • Separation and protection of the customer’s virtualised environment
  • Virtual machine configuration requirements
  • Aligning of the Virtual and cloud network environments

ISO 27018 is focussed on the privacy and protection of Personally Identifiable Information (PII) in the Cloud.

ISO 27018 provides the following key guidelines to CSP’s

  • PII may not be used for business marketing or advertising purposes. The customer has control over their own data and the CSP is required to process PII as instructed by the customer – for example a customer can consent to having their PII used for marketing and advertising purposes.
  • CSP’s are required to train employees to handle and manage PII and there are specific guidelines on the storage, restoration and movement of data.
  • In the event of a data breach the CSP must notify the customer immediately plus maintain comprehensive details regarding the incident and ensure customers will continue to be compliant with their own security obligations.
  • A CSP must disclose the names and details of any sub-processors of PII data they use before concluding any customer contract. This requirement extends to any changes of sub-processors part way through a contract period and allows for a termination of contract if the customer is not happy with a change of sub-processors.

Could it be time for you to re-assess your organisations current IT policies in line with ISO 27002, the code of practice for information security controls and factor in ISO 27017 & ISO 27018 standards?

If so, please contact sue.lal@protocolpolicy.com to arrange a time and date to discuss how our IT policy management system and subject matter experts can assist you.

P.S.  Watch out for our next brief on General Data Protection Regulation (GDPR).

Establishing IT Policy to help execute a good IT Governance strategy is no simple task, particularly as IT Policy needs ongoing maintenance and management.

We know this because Protocol Policy Systems has been providing this service to Local Authority sector customers for some time. Our most recent customers’ reviews highlighted their short-medium term concerns which included:

1. Using Cloud Services Providers ie XaaS
How do we ensure we transition safely to cloud delivered services and applications? – what foundation does our organisation need to have in place?

2. GDPR, everyone’s talking about it
GDPR is on the horizon – every technology vendor claims to have some form of solution to address the requirements. In reality “human factors” present the biggest risk and challenge in terms of our readiness and then meeting ongoing compliance.

3. Reducing Costs
Budgets will continue to be tight so getting measurable security improvement in place will continue to be challenging.

We’ve decided to share our customer feedback along with insights into future policy projects to form the basis of a series of brief updates around The Evolution of IT Policy Management. If you would like to subscribe to receive The Evolution of IT Policy Management briefs, please email sue.lal@protocolpolicy.com

Should you wish to further understand how I am working with other clients in your sector to:

  • ensure the foundations for successful cloud adoption are in place
  • minimise human factor risks
  • deliver security improvement

Then also please feel free to drop me a note sue.lal@protocolpolicy.com  or call direct on 07769 338003

Sue Lal

Protocol Policy Systems are pleased to be able to introduce to you our new Client Director, Sue Lal, who has joined the team starting January 2017.

She is a highly experienced strategic business development professional with a solid understanding of IT Systems, Security and Service management practices together with the associated security compliance and governance challenges facing both Public Sector and 3rd Sector organisations.

Sue’s IT sales career has included working for some of the UK’s leading technology resellers such as Lynx Technology, SCC and more recently Pangea Systems where she set up and built their Public Sector business.

She has over 25 years’ experience in sales leadership and strategic account development working with commercial and public sector organisations building long term trusted business relationships based on the solid understanding of clients’ requirements, challenges, operational needs, risks and agreed measured project success criteria.

We look forward to creating more long term relationships in the Local Authority and 3rd Sectors during 2017 under the guidance of Sue.

In this article we address 3 questions – Why are IT Policies important? – Who should be involved in the development of IT Policies? – and – How do organisations manage their policies typically today?

Firstly a quick recap – in Part 1 of Recognising the value of IT Policies we outlined how the first critical step to creating a secure digital environment involves developing policies and procedures. These document an organisation’s intentions to diligently manage digital information throughout its life cycle and keep it safe from unauthorised persons. We then defined information security (see below), detailed why IT Policies are required and outlined “what they do”.

Information security can be defined by three things:

  • Confidentiality – information must not be made available or disclosed to unauthorised individuals, entities, or processes
  • Integrity – data must not be altered or destroyed in an unauthorised manner, and accuracy and consistency must be preserved regardless of changes
  • Availability – information must be accessible and useable on demand by authorised entities

Why are IT Policies important?

  • Organisations are beginning to understand the importance and power that information, communications and technology bring to their business.
  • This may be in support of the fundamental activities of the business (financial systems, logistics, inventory, CRM etc), a customer service portal or – for the more advanced – extend to what is labelled the Internet of Things.
  • It is important that these systems are used, operated and managed efficiently and effectively to ensure business continuity and to enable the organisation to meet legal, regulatory and statutory requirements.
  • The organisation must define and communicate its expectations for the appropriate use of these systems so that they remain available for business purposes and their use does not bring the organisation into disrepute.
  • With the proliferation of mobile devices and cloud service offerings, it is more important than ever for organisations to define what they want their IT environment to look like and how their information should be used. It’s not just “internal systems” anymore.
  • Many of the problems around information leakage could have been avoided through appropriate use of information systems.  Many outages could have been avoided if systems had been correctly configured and managed.
  • Documented Policies and procedures take the guess work out of information security and enable an organisation to manage business risk through defined controls that provide a benchmark for audit and corrective action.
  • Without documented policies and procedures each and every employee and contractor will act in accordance with their own perception of acceptable use creating an environment in which system management is ad-hoc as well as inconsistent.  Staff will be unaware whether they are acting within the organisation’s risk appetite or not.
  • Security attacks against organisations are increasing both in number and sophistication and we must ensure our systems can be protected against these threats. The first step in achieving this is to document the rules and guidelines around system management, operation and use. By complying with these rules and guidelines organisations are doing everything they can to protect their systems and their people from a security threat.
  • Effective information security policies protect the staff as much as the organisation.

Who should be involved in the development of IT Policies?

The CIO, IT Manager, Network Administrators and System Administrators should all be involved in the development of the Policies and Procedures. Input from Human Resource, Information Managers is recommended. We also recommend input from Risk and Legal staff if these roles exist within the organisation.  Ultimately the Senior Executives and Management Team should sign off the policies.

How do organisations manage their policies typically today?

Many organisations have a basic Email and Internet or Acceptable Use Policy and do not comprehensively define their information and information systems management and use expectations.  If they have policies they are usually a couple of word documents published somewhere on the organisation’s intranet.  If policies have been developed they may be out of date, available in hardcopy only and not published in such a way that they are readily available to the wider user community. Policies may be handed out by Human Resources during staff induction but there is no reiteration of the policies on an ongoing basis, often no training on information security and typically no ongoing security awareness program. Finding someone to take full ownership of IT Policy in an organisation can be a challenge, making cultural change around IT Security elusive.

To view our new IT Policy System demonstration video CLICK HERE