A discussion on security policies at the Infosec World conference in Orlando suggested focus and simplicity are key elements in developing and implementing companywide information security policies.
Anish Bhimani, chief information security officer at JPMorgan Chase, urged companies to “be crystal clear what your objectives are” and spell them out in a policy that is easily read and understood by other workers, while avoiding developing a “laundry list” of overly specific compliance items that will be hard to enforce.
JPMorgan Chase has adopted a relatively short list of “must comply with” information security policy items that incorporate the company’s high-level data protection goals, but has implemented a broader set of “should comply with” items that are more difficult to meet.
Security policies need to be easily enforceable to be effective, according to Philip Maier, vice-president of the information security, emerging technology and network group at Inovant, which is Visa’s IT unit. He suggests vetting all policies with an enforcement group to ensure there's a realistic way for them to be enforced.
Another issue for multinational companies with global operations is to write security policies that retain the same meaning across different languages.
Security policies are the area of security that are most forgotten by companies, yet are often the most important. Some clear advice from JPMorgan Chase and Visa is welcome.