The policy format is a living document that needs to be created in such a manner to appeal to the general employee population, third-party auditors, the IT department, as well as potential partners and suppliers.
Generalised policies need to be written so that updates do not become overly burdensome, but can bring a call to action to prevent breaches from occurring, or lay out the proper procedures should a breach occur.
Most organisations opt to write the security policies themselves, using common sense and their own experiences as a guideline. However, there are also software packages available from organisations, such as Pentasafe (recently acquired by NetIQ), that automate the ability to create these policies.
The actual setting of security policies within an appliance, such as the firewall server, is the other aspect of policy management.
Companies need to make sure that the policies are flexible enough to allow information to flow, but not so lenient that the doors to the organisation are completely open.
It is a fine balance that needs to be monitored closely and consistently, but often isn't. The reason for today's renewed interest in security policy is the continued expansion outside the traditional boundaries of an organisation with partners and suppliers, as well as a closer tie-in to responses to business continuity should a disaster occur.
Many external relationships are demanding to review security policy documents and configurations before doing business to ensure that the transfer of information and Intellectual Property (IP) will be secure from one company to the next.
This awareness will only continue as IP is more easily shared across the Internet. Organisations need to ensure that they are no longer simply meeting the minimum requirements of the security policy document to keep the auditors content, but that they understand the maintenance of policies becomes not only a matter of strong password protection, but one of trusted relationships and an avenue to create additional revenue