Drivers of information security policies
Traditionally, security policies were driven by the need to mitigate risks, which the organization's information assets faced from external threats and internal vulnerabilities. However, today they are also driven by the compulsion to comply with legislative and regulatory obligations; and for underpinning business expansion strategies by creating trust relationships between the organization and its customers, partners and stakeholders.

From being mere instruments of risk management, security policies today have morphed into becoming vital enablers of business operations and strategic imperatives.

Implementing security policies
An organization's information security policy is driven from the highest level. It starts with the Board of Directors initiating a security program policy which is a formal definition of the organization's posture and approach to information security. It defines the business purpose for initiating the security program and the goals sought to be achieved; delineates the facilities, assets, hardware, software and personnel to be included in the program, and defines the compliance imperatives of the program by authorizing a framework to manage and monitor the security status and initiate disciplinary actions for violations. The CEO or Head of management is made the owner of the security program.

The CEO implements the security program through a Security Committee appointed for the purpose, or through the CIO/CSO.

A robust security program begins by clearly classifying the information assets of the organization, and nominating their owners, custodians and users along with their responsibilities for safeguarding. This is followed by a risk assessment to determine external threats to the information assets and internal vulnerabilities in them.

The risk assessment provides a clear perspective of the risks posed to each asset, probability of the risk materializing, the impact on the business in the event of the asset's loss or breach, the safeguards available to mitigate the risk, and the cost of each alternative vis-à-vis its benefit.

The risk assessment is followed by development of the organization's information security policies. The security policies would aim to mitigate the risks identified during the risk assessment exercise. At this point, the organization would also evaluate the business processes to see if any security/privacy policies would need to be put into place to meet legislative or regulatory requirements, or for meeting other business strategies.

A common fallacy among many organizations is considering the development of security policies as an end in itself. However, development of enterprise security policies is actually the 'beginning' of the security process. Once the enterprise security policies are developed, standards, guidelines and procedures for implementing them on ground have to be developed. In larger organizations, the Enterprise Security Architecture (ESA) flows from the security policies.

A crucial phase in the implementation process of the security policy is its dissemination to the employees and other concerned personnel. The whole purpose of implementing security policies is to inform people on what they should do to follow good security practices, and to initiate disciplinary proceedings in case they violate the security policies. However, a large number of organizations do not have formal processes to distribute the security policies across the enterprise to enable employees become aware and incorporate good security practices in their day-to-day work.

Though surveys show that about 50% of the Indian corporates have documented security policies in place, the ground reality is that very few of those security policies are effectively implemented organization-wide. In fact, security surveys would serve their purpose more meaningfully if they sought to project a truer on-ground perspective — i.e. if they surveyed to identify the number of organizations whose employees were aware of their organizational security policies, not just the number of organizations that simply owned a security policy.

Effective implementation of enterprise security policies is an ongoing process. Changes in business process, strategies, or external threat environment may all affect the risk posture of the organization, which would necessitate a review of the existing security policies to mitigate the new risks. Therefore, effective security policies would require periodic review to keep it in step with the business and risk realities.