INFOSEC - Information security policies should be simple

04.04.2006
Focus and simplicity are key to developing and implementing companywide information security policies, according to IT managers at a panel discussion at the Infosec World conference in Orlando this week.

"Pick your battles," said Anish Bhimani, the chief information security officer at JPMorgan Chase & Co. He urged companies to "be crystal clear what your objectives are" and spell them out in a policy that is easily read and understood by other workers.

Bhimani also stressed that companies should avoid developing a laundry list of overly specific compliance items that will be hard to enforce.

JPMorgan Chase for instance, has adopted a relatively short list of "must comply with" information security policy items that encapsulate the company's high-level data protection goals. It also has implemented a broader set of "should comply with" items that are a bit more of a stretch, he said. "One of the things to consider is how many controls are you asking people to comply with. Just focus on the things that matter."

"By definition, policies are mandatory" and should only include items that absolutely must be complied with, said Charles Pask, managing director of ITSec Associates Ltd., a consultancy in Leicester, England. The specific standards and controls needed to comply with official policies should then be implemented as part of an overall risk assessment program, he said.

Sandy Bacik, corporate security officer at Tekelec Inc. a Morrisville, S.C.-based provider of telecommunications services, said that information security policies should guide behavior and need to be separate from broad security standards and guidelines. For example, a company could have an enterprise policy requiring business units to protect their information assets based on the importance of that information to the business. A guideline around this would probably inform information owners about the need for strong access controls, while a standard would mandate the need for them to use strong passwords, she said.