A discussion on security policies at the Infosec World
conference in Orlando suggested focus and simplicity are key
elements in developing and implementing companywide information
security policies.
Anish Bhimani, chief information security officer at JPMorgan
Chase, urged companies to “be crystal clear what your objectives
are” and spell them out in a policy that is easily read and
understood by other workers, while avoiding developing a “laundry
list” of overly specific compliance items that will be hard to
enforce.
JPMorgan Chase has adopted a relatively short list of “must
comply with” information security policy items that incorporate the
company’s high-level data protection goals, but has implemented a
broader set of “should comply with” items that are more difficult
to meet.
Security policies need to be easily enforceable to be effective,
according to Philip Maier, vice-president of the information
security, emerging technology and network group at Inovant, which
is Visa’s IT unit. He suggests vetting all policies with an
enforcement group to ensure there's a realistic way for them to be
enforced.
Another issue for multinational companies with global operations
is to write security policies that retain the same meaning across
different languages.
Security policies are the area of security that are most
forgotten by companies, yet are often the most important. Some
clear advice from JPMorgan Chase and Visa is welcome.