Information technology is strategic to enterprise growth. However, paradoxically, it comes with a bagful of potentially crippling risks that can threaten the very survival of the enterprise. Today, information assets have to be protected with the same level of commitment and vigilance that the management devotes to financial supervision and overall enterprise governance. It is no longer enough (nor has it ever been) for the board of directors to ensure that IT investment delivers value and enables the business. They must also ensure that the investment encompasses what it would take to mitigate the risks that may arise from its deployment.

The driving force
The board's diligence to the cause is reflected in the creation of a 'Security Program Policy' that is promulgated to drive the enterprise''s security initiative. This policy sets strategic organizational directions for security, and assigns resources for its implementation. It describes why the security program is being established, assigns the CEO the responsibility for program implementation, and authorizes disciplinary actions for non-compliance.

Zeroing in on issues of concern
The basic objective of the enterprise security program is to protect information assets. Risk management identifies those assets, assesses the risk potential, and estimates the possible damage, in case the risks are realized. Based on the results of the risk analysis, and corroborated by the broader directions charted in the security program policy, a more detailed level of policies is put in place, focusing on specific issues of concern to the organization. Among others, these policies would typically relate to issues concerning the Internet, email, incident response, contingency planning, physical emergencies and anti-virus, which would be prepared by the CIO, in coordination with other senior functional managers, and signed off by the CEO.

Spotlight on IT systems
Issue-specific policies address ''policy'' from a broad level, usually encompassing the entire organisation. These would not adequately cover issues closer to computer networks, applications, and data. For example, these are not meant to provide in-depth information or direction that could be used in establishing an access control list in a router. System-specific policy fills this need. It is much more focused, since it addresses only one system, and delves deeper into finer areas. These policies are usually prepared by the IT department/CIO and signed off by the CEO. Typical system-specific policies could be related to deployment of firewalls, employment of access control technologies, protection of databases etc.

Implementing policies on the ground
Security policies do not provide direction or guidance on how to initiate an action on the ground. These simply dictate that a certain goal be accomplished, akin to high-level directions emanating from headquarters to the troops. Policy can be likened to the Constitution. The Constitution doesn't provide details like Income Tax exemptions or penal codes, but underpinning it are the numerous Acts and rules of law for it. Similarly, underpinning the security policies are baselines, standards, guidelines and procedures that provide detailed information and directions on how to implement policies on the ground.

Baselines specify the minimum-security requirements for a system, from which standards, that either equal or exceed the minimum-security requirements, are developed. Standards specify how hardware/software products should be used, thereby enforcing organization-wide uniformity in deploying technology and processes. Guidelines recommend actions when standards either do not exist or cannot be applied to a non-routine system or process. Procedures are the lowest in the policy chain that detail step-by-step actions to implement the statements in policies, standards, and guidelines.

Are you secure with security policies?
So, is an organization secure if it develops a comprehensive set of information security policies? While, worldwide, there is a clear correlation between security policies and effectiveness of security measures in the organization, the CII-PwC Security Survey 2002 illustrates otherwise. Amongst those Indian enterprises that have a formal security policy (comprehensive or written security policies), the effectiveness of security on the ground was found to be very low, with 60% diffident about the effectiveness of their security, and 17% exhibiting insecurity, in spite of having a security policy in place.

In the Indian context, reasons for the astonishing contradiction are quite clear. Almost half of the number of organizations, with comprehensive security policies, has not conducted risk analysis before developing its security policies, indicating a downright lack of understanding of the security policy process. Besides, it is not uncommon to find organizations putting into place security policies, not for managing their information risks, but to comply with regulatory pressures like, for instance, the RBI guidelines that stipulate requirement of security policies.

Other significant causes that have doomed failure of security policies in Indian organizations include not classifying data as per its sensitivity before initiating policy development, force-fitting security policies picked from the Internet or other sources into the organization, not conducting end-user security and policy awareness programs, not monitoring compliance of IT security policies, not reviewing security policies periodically, and IT departments issuing security policies in a bottom-up approach, without relating them to business imperatives and obtaining top-management commitment.

Policy supervision
Merely developing security policies is futile if these are not effectively implemented and managed. Policy management ensures that security policies, standards, guidelines and procedures are disseminated across the organization. This is vital because, no matter how well thought out and comprehensive the security policies are, if people don't know about them, they will be useless. Once a security policy is in place, the organization must have a way to determine if the policy is being followed. Security violations must be investigated to ensure non-recurrence. Issue-specific and system-specific policies need to be reviewed periodically to keep in time with constantly evolving circumstances across business and technology.

The bottom line
Policies, that are well written, effectively communicated and consistently enforced, go a long way towards protecting organizations from IT-related risks. Without security policies, an organization runs the risk of being misunderstood by its employees, making it difficult to leverage disciplinary measures if a security violation occurs. Security policies can also help mitigate organizational and personal liability, and minimize abuse of computing resources. A comprehensive security policy provides intrinsic value and strategic advantage to the organization by enhancing its credibility and bolstering confidence among customers, partners, and stakeholders. Implemented and managed effectively, a security policy can visibly increase ROI on the security investment.