Security Policy development over the years from few pages to volumes

Two decades ago, the Information Security Policies had been developed as guidelines with Do’s and Don’ts and over the years the threats from different channels made every enterprise to develop Information Security policy from few pages into several pages to address all the possible potential threats. This article describes Security Policy development over the years.
 

Security Polices decades ago

Initially, the security policy was created by IT department for the Technology users. It was more like guidelines such as password and access controls. Minimum controls were in place and not much aware of the existing vulnerabilities. The use of IT system was limited within an enterprise with very minimal exposure of data to the external world.
 

Security Policies now

Today, a major part of the information security policies were augmented in a reactive mode. In other words, once the threat has exploited the vulnerabilities and created major damages to Confidentiality, Integrity and Availability of an enterprise’s assets, new security controls have been defined and existing security policies were enhanced further. In today’s world, the business has been increased in multiple folds and it is being operated across the globe, the business data is being exchanged with Regulators, Federal governments, third party vendors, business partners, and data centers and also within the same affiliated companies or group of companies within the country or across the globe.

Today, the enterprise’s business data is being used by IT technical team, business users, customers, partners, vendors. It is essential for an enterprise to develop information security policies to cover above users. Earlier, the enterprise advised the users of an IT environment to use a strong password, today the strong password tools integrated into the system and ensured that the user set the strong passwords.
 
As discussed, earlier, a major part of the Security Policy upgrade was done in a reactive mode rather than preventive controls. For instance, after 9/11 attack, loss of people life and huge loss of business data forced an enterprise to revisit their Business Continuity and Disaster Recovery strategies to improve their operational resilience to meet an adverse event of security incidents or operation downtime. A lot of investment has been made in the Business Continuity and Disaster Recovery domains. The Sarbanes-Oxley Act (SOX) was created in 2002 after corporate scandals.
 
The current information security policy focused more on defense in depth and contains a volume of pages. Unlike in the past, the current security policy covers end to end IT operations. It covers access controls, Physical Security, coding practices, password  management, change management, configuration management, ingress data and egress data transfer and much more.
 

Conclusion

In the past, the security policies were documented in technical terms meant for people who worked in IT division. Today, the security policies are no longer technical jargons, it is in simple language that can be understood by normal computer users. Over a period of time, the budget on IT security spending has been increased tremendously. The development of web-based applications and data transfer across geographies has forced every enterprise to revisit their information security policies to safeguard Confidentiality, Integrity, and Availability of an enterprise’s assets. The IT security research team across the globe have also significantly contributed the development of security policy to address critical security challenges.
 
Authored by-Ananda Narayanan G
TCS Enterprise Security and Risk Management
Rate this article: 
Average: 1 (3 votes)
Article category: 

There is 1 Comment

A Security Policy is just that, it's there to document your 'Security Policy.  It should not be including policies for Network; Anti-Virus; Cyber Security; or any other technical requirements, as they could be documented individually as required.
The Security Policy shouldn't be longer than 3 pages in length, including company sign off and that of the individual.  Sounds simple, though I proffer to keep things simple and do follow the process for ISO 27001/2.
All things in life don't have to be technical nor requiring reams of documentation!!