While collaborating on a Mission College (MC2IT) Security and Privacy Board meeting a few years ago, another board member and I were discussing the challenges of managing an information security program and how we can get more students involved in security and to get more people involved in managing an organization’s security policies. He said that one of the biggest (expletive) challenges in policy management is the fact that once you have your policies in place, they immediately become out of date. And, unfortunately, this is accepted as an inevitable reality in many organizations (big and small)!
Security risks and the techniques and technologies to address them move extremely quickly and organizations are always changing. You can’t create a comprehensive security and privacy policy document (in a PDF or MS Word file hiding away in a “shared” folder) and expect to keep something so static up to date, easily. Unfortunately, it’s a stagnant set of policies that puts so many organizations at risk…both from a security standpoint and when it comes to doing business. When policies are out of date, it means that you could be missing critical controls that address the latest attacks and it means that you could be responding to RFPs with information that is no longer accurate about your people, processes, and products…which could lose you the deal, or expose your organization to financial liability.
So, how do you keep your security policies current? Use them! Use them! Use them! Security policies aren’t a hoop to be jumped through. They aren’t a burden to bear. Your policies are tools to help you and your organization! When you actively use your security policies to keep your organization secure, train the people in your organization, and support the sales process, you are making sure that your policies get the attention that they deserve from across the organization…which incentivizes you to keep them up to date.
Opportunities for keeping your policies up to date:
Another big benefit to keeping your InfoSec policies up to date is that you never know when you might be asked to get a security certification such as SOC 2 or ISO 27001, and if you have been keeping up on your InfoSec program, it will be much easier and faster for you to achieve.
Although it’s common to review your security policies annually, they shouldn’t be treated like holiday decorations that you take out once a year to look at. They are tools to be used all year long…and with that use, they will stay current and relevant and you will stay secure and successful.