Compliance and regulatory requirements facing today’s enterprise organizations seems to be growing and putting more pressure on both information and physical security practices than they can keep up with – both in time and the money needed to mitigate these ongoing potential risks.
In an article written by Ericka Chickowski, she states that the key to bringing equilibrium to this challenge is by having unified policies that can guide security standards and procedures to both minimize risk and comply with regulations now and in the future.
Chickowski’s article does a nice job in listing some helpful tips on what organizations should and should not be doing when developing their security and compliance policies.
For an example;
- Don’t get caught up with individual regulations, rather develop a policy framework that can be managed and adjusted upon as required by all risk considerations—including new mandates as they are bound to occur.
- Let risk considerations lead policy decisions and then map compliance reporting to that, not vice versa.
- Be clear on the following definitions: a policy is management’s definitive position on a specific issue to ensure consistency; a standard is a specific measurable requirement that governs an operation, configuration or process in order to satisfy a policy, and, a procedure is a set of step-by-step instructions required to satisfy a given standard — understanding how each feeds into the other will enable your organization to perform better according to directives in each and it will make it easier to bring clarity to policies.
- Be certain that policies are both aligned with the strategic direction the organization wants to follow, and, that they are attainable.
- Policy statements should not only be designed to help mitigate risk, they should also be created with auditability in mind.
If some of these ideas seem make sense to you, and could be useful in your own organization’s effort to deal with its own policies, procedures and standards —then click here to read Ericka Chickowski’s full article.