6.3. A Living Document: The Security Policy Lifecycle

Like with many of the policies that you deal with on a day-to-day basis as part of your job, the security needs of your organization continue to adapt and evolve over time. In some cases, new business initiatives drive security concerns. In other cases, new threats determine how you adapt security. Regardless of the reason, your security policies need to adapt, if only to add new policies when the security landscape changes or to remove old ones that no longer apply to your business needs.

You might think that you should change policies every time that a new threat comes to your attention. Nix that idea because end users and the people who must implement those policies will be hesitant to change frequently, and will likely be slow to adopt new changes.

Instead, we recommend that you

• Make major policy changes only when absolutely necessary.

• Roll out new policies only when you're sure that the organization needs them, and they'll stay current and applicable for the foreseeable future (in other words, you don't think that you will be changing them again next week).

6.3.1. Up to date

Keep tabs on the IT, and more specifically, the security industry. Monitoring new types of products, staying up to date by reading trade journals, and speaking regularly with peers in other organizations can help you stay on top of new developments in the security field.

While hackers exploit new classes of vulnerability and develop new types of attacks, you may need to implement new policies (and potentially even use new technologies) in order to deal with evolving attack types. If you constantly keep yourself educated about the security market, you can better equip yourself to act quickly and decisively when necessary.

6.3.2. In sync

Keep yourself apprised of changes in your company's business.

For example, if your company is entering into a new line of business, new security requirements might come along with that new product or service offering. Say that your company has a new product that's intended for the federal government market. In some cases, companies have product requirements, such as Common Criteria, that involve product development practices. Vendors adapt their products to make sure that they pass the rigorous tests and audits associated with Common Criteria. If the product doesn't comply, it doesn't receive Common Criteria certification.

Security policies can have an impact on the product that your organization sells or provides — a fact that you might point out to your management when you present your vendor recommendations.

Also, keep abreast of new rules and regulations, or compliance mandates, that apply to companies in your market.

In recent years, credit card processors imposed the Payment Card Industry Data Security Standards (PCI DSS) for retail, Health Insurance Portability and Accountability Act (HIPAA) in healthcare, and Sarbanes-Oxley (SOX) for public companies. Each of these regulations has greatly affected the security policies of the companies in these markets. You have to ensure that your company doesn't run afoul of these kinds of requirements because not complying can result in hefty fines or other penalties.