Best Practices for Planning, Developing, and Managing Enterprise Security Policies

This IDC Perspective walks businesses through the steps necessary for establishing a successful security policy strategy. Security policies should provide the foundation for meaningful action in mitigating cybersecurity and compliance challenges of all types based on the level of risk that an organization deems tolerable. In addition, by detecting mismatches between their policies and actual practices, businesses can identify potentially serious risks that require correction.However, security policies fail to support these goals when they suffer from problems like lack of actionability, failure to address risks comprehensively, and lack of awareness of policies across the organization.To mitigate these challenges and create policies that drive meaningful action, enterprises require a coherent strategy that addresses all stages of the policy life cycle, from initial policy development and review to policy dissemination and ongoing updates."For effective security policy development, promulgation, and maintenance, having a systematic process in place is key," says Chris Tozzi, adjunct research advisor for IDC's IT Executive Programs (IEP). "And so is identifying the various stakeholders in security policy management and ensuring that you plug them into your processes."