A security policy outlines the requirements with regard to information security within an environment. Combined with standards, guidelines and procedures this allows management to take control of information security. What this means in real terms is that employees know what is expected of them, what is acceptable and what is not. This applies to both users of IT as well as to those who manage it.
Without appropriate policies,
- Staff members may be unaware of their responsibilities and duties regarding IT Security. Consequently, they may deliberately or accidentally compromise corporate information.
- Management may have no recourse against perpetrators.
- Staff has no official guideline for configuring and administering systems with regard to IT Security.
- Systems may be secured inappropriately as the value of the information is not known or has not been adequately determined.
- Management may be unable to demonstrate due care and diligence with regards to information security.
- The company, company directors and management may be held liable.
Generally speaking, organisations operating without a security policy have a tendency to have security controls implemented inconsistently. This often results in loopholes that can be exploited or procedures that fail. Furthermore, detecting and resolving these weaknesses can be difficult and time consuming.