Effective Policy: Building a Company-Wide Culture of Security

If it were possible for IT Security to be provided by equipment that magically repelled every attack and countered every breach, there would be no need for written policies to detail appropriate human behavior and expectations. It is precisely the human factor that makes IT Security such a moving target. Hackers prey on compromised security that is caused by the often innocent but flawed daily activities of regular staff members that circumvents the hardened perimeter defenses that IT has deployed. Written policies are the guidelines, procedures and expectations that form the foundation of building a company-wide “security culture” in which all staff members take an appropriate, active part.

• Without effective policy, there is no basis for HR counseling or discipline to occur
• Without effective policy, there is no basis for appropriate management expectations
• Without effective policy, there is little chance for regulatory compliance
• Without effective policy, there is no clearly defined authority for the IT team to deploy and maintain solid security systems