FAQ - About Security Policies
Why do we need an IT security policy?
Imagine automobile traffic if there were no traffic laws; if no
rules defined what was right and wrong in traffic; if the same
amount of people drove on the left and right sides of the road.
Imagine if some stopped for green lights and some stopped for red
lights, while others didn't stop at all!
Traffic rules provide safer traffic. IT security rules provides
IT security.
IT security rules are defined in an IT security policy. A policy
defines the "IT traffic rules" of your organization. Your policy
should describe how much security your organization needs. It is
not necessarliy true that more is better. You just need to define
your proper level. You can use a risk assessment method to define
what your proper level is. The results of your risk assessment are
used to define or refine the contents of your security policy, and
your security policy becomes the "traffic rules" of your
organization.
Do I need an IT security policy, an information security policy
or a security policy?
"IT security" is a subset of "information security" which again
is a subset of "security".
Most organizations have a need to secure their information
assets and, therefore, an information security policy. There is
little value in having IT security without rules for secure
information handling.
Whether you also need to expand your information security policy
so it becomes a complete security policy depends on the individual
needs of your organization. As an example, a security policy also
contains rules for fire, personnel, travel safety etc.
SecureAware is designed for managing all three policy types. The
data structures in SecureAware are designed to allow content
categories and target groups to be mapped into your policy content.
That means you can target your policies to the applicable users,
both within IT security, information security and security.
The built-in content and structures in SecureAware allow you to
build policies that comply with British and International
standards. These also contain controls related to physical
security.
Can we use our current IT security policy in SecureAware?
Yes. If you do so, you will be able to better communicate your
current policies to your users. And you can measure whether or not
they know the contents of your policies. Unknown policies offer no
value, and with unknown policies it is inevitable that unwanted
gaps between reality and policies appear.
Also, your current policy, or your current set of policies,
needs to be implemented. The procedure library in SecureAware can
be used to link your current or new procedures to your current
rules and requirements.
Does it take long time to import our current security policies
into SecureAware?
That depends a lot on your current policies. If you already have
a complete set of rules, then the work load you are facing is
simply to implement your choices in SecureAware and perhaps add or
change specific wording to comply with your normal terms. It will
be a copy and paste job to a large extent.
If it turns out your current policies have some shortcomings,
you may want to decide to implement some new policies or rules. If
you do so, your decision-making process becomes quite influent on
the time you spend. In such a case, SecureAware helps organize your
process for considering all relevant areas and topics, and you will
have a library of specific suggestions to evaluate.
If desired, Neupart or Neupart's partners can offer professional
services to help you get more value of your current polices with
SecureAware.