Implementing Security Policy
Once the security policy is defined and agreed upon, the implementation plan of the policy should be worked upon. It is usually easy to create a policy but very difficult to implement it. The measure to implement a security policy is to educate the staff members about the security requirements and security policy of the company.
To implement security in an organization it is important that not only the employees of the company but the senior management and the board of directors also participate in security process. The attitude of senior management towards the security affects the entire organization’s commitment to security. The external people associated with the company such as contractors and auditors should also support the security processes of the company.
The board of directors should clearly specify their security expectations to the management and approve security plans, policies, and programs. An annual report should be created on the effectiveness of the information security programs.
The Security officers on the other hand should have sufficient knowledge, background, and training to handle a crisis situation. They should also have the authority to respond to a security event. They should be allowed to take immediate actions in the times of emergency.
The employees of the company should also be aware of the security policy of the company. Besides they should know their role, responsibilities, and accountability of their security responsibilities. Their job contracts should specify any additional security responsibilities besides the general responsibilities.
The security policy must be made available to staff members so that they can refer to it any time. Also the policy must be easily available any time. The security awareness program can be defined. The user friendly and informal lines of communication must be open between Information Security Office and the employees.
The employees of the company should also be made aware of the security violations so that they fully know the repercussions of violating the security policy. This would help in unintentional exposure of sensitive information to attackers or causing intentional violations.
The violations of the policy should be handled appropriately with the terms of AUP (Acceptable Use Policy) of the policy.
