Security Policies: Where to Begin

A company that realizes that they have unfortunately been applying security in an ad-hoc fashion and have not put the necessary security policies in place to reduce the risk to their corporate assets, has hired you as the Security Officer. They have implemented many of the standard security products and technologies (firewalls, anti-virus, IDS, etc.), but they find viruses and intrusions still occur. As the newly appointed Security Officer you are to develop their security policies and procedures from top to bottom to provide a cohesive approach to addressing security going forward. This is an enormous job; where do you begin? Many organizations and their staff truly lack the understanding of what security policies are designed to do. Your mission is to educate all levels of the organization on how they play a role in identifying potential threats; when to escalate, and to whom, so the risk can be assessed and a mitigation strategy developed. The intent of this paper is to guide you through the process and considerations when developing security policies within an organization; however it will not attempt to write the initial policies. There are a multitude of excellent websites and software products available that can assist with the actual development and provide sample formats.