Question

How often should IT security policies be reviewed within an organization? What is the impact if these policies are not reviewed on a regular basis?

Answer 1

Answer

A security policy is a strategy for how your company will implement Information Security principles and technologies. It is essentially a business plan that applies only to the Information Security aspects of a business.A security policy is different from security processes and procedures, in that a policy will provide both high level and specific guidelines on how your company is to protect its data, but will not specify exactly how that is to be accomplished.

After the security policy has been in place for some period of time - which can be anywhere from three months to a year, depending on your company - the company’s information security controls should be audited against the applicable policies. Make sure that each policy is being followed as intended and is still appropriate to the situation. If discrepancies are found, or the policies are no longer applicable as written, they must be change to fit your company’s current requirements.

After the initial review process, you should regularly review the security policy to ensure that it still meets your company’s requirements. Create a process so that the policy is periodically reviewed by the appropriate persons. This should occur both at certain intervals (i.e., once per year), and when certain business changes occur (i.e., the company opens a new location). This will ensure that the policy does not get “stale” and will continue to be a useful management tool for years to come.

When changes need to be made, be sure to A) update the revision history section of the document to differentiate the new document from past versions; and B) distribute any modified user-level policies to your users. Clearly communicate the policy changes to any affected parties.

Impact if these policies are not reviewed

1)  There won't be any commitment in maintaining a secure network, which allows the IT Staff to do a more effective job of securing the company’s information assets. Ultimately, a security policy will increase the risk of a damaging security incident.  

2) A security policy can provide legal protection to your company. By specifying to your users exactly how they can and cannot use the network, how they should treat confidential information, and the proper use of encryption, you are reducing your liability and exposure in the event of an incident. If it is not reviewed then there won't be any written record of your company’s policies if there is ever a question about what is and is not an approved act.

3) Companies that do business with your company, particularly those that will be sharing confidential data or connectivity to electronic systems, will not be concerned about your security policy.

4) there won't be any fulfilled regulations and meeting of standards that relate to security of digital information.