Firms need structured security policies, says Gartner

It is essential for any business to have a structured security policy with clear language to address all levels of employees, a Gartner analyst has warned.

Speaking at Gartner's IT Security Summit in London, Les Stevens said it was crucial for businesses to start recognizing the key factors influencing the success or failure of policy management.

Many businesses failed to learn from actions that hurt the development of successful policies, he said. These included a low focus on business requirements, risk and implementation, alongside too much focus on pleasing managers and on fitting in with audit requirements -- all to the detriment of building policies specific to the business.

Another problem identified by Stevens was the lack of management support and weak communication culture in some organizations.

"What you need is clear and concise content, a clear definition of roles and responsibilities, a defined purpose, and obvious consequences for noncompliance by staff. It also needs to be in the language of the audience," he said.

"The implementation must fit within the culture of the organization, and be regularly reviewed and maintained. There have to be audits of how well the company is sticking to these policies."

It was essential to have both a hierarchy of policies and of responsibilities in implementing them, said Stevens. To implement policies, he said a top-down charter was needed, together with generic policies and more specific plans for departments, alongside non-enforced standard procedures and guidelines.

The chief information security officer and the chief executive should have responsibility for security policy development, Stevens said, while the information security committee should be in charge of the approval and implementation of that policy.