An approved information security policy

Six months after submitting a draft for approval, I have finally been able to receive the necessary support for an official, ratified information security policy. I have buy-off from the CIO, COO, CFO, audit, HR and Legal – all very necessary parties to such a policy. It’s also critical to get informal input and approval from the helpdesk and desktop support, as they are in the trenches with the end-users, to whom most of these policy items apply.

HR sent the document out to everyone in the company and asked for a written commitment from all employees that they will follow. It will now be distributed to all new hires as part of the onboarding process.

Quite honestly, this is the first organization where I have had to write an infosec policy from scratch. In all of my past positions, I have had to add to or modify security policies, but I had a foundation. This has been a positive experience and has forced me to learn. I can say now that having some official document stating a company’s position on information security is absolutely critical. In retrospect, I think I should have made the document shorter and more general, and referred to other process and procedure documents. While that might have offended my sensibilities and fallen short of my desire for a comprehensive treatment, it would have expedited the approval process.