While collaborating on a Mission College (MC2IT) Security and Privacy Board meeting a few years ago, another board member and I were discussing the challenges of managing an information security program and how we can get more students involved in security and to get more people involved in managing an organization’s security policies. He said that one of the biggest (expletive) challenges in policy management is the fact that once you have your policies in place, they immediately become out of date. And, unfortunately, this is accepted as an inevitable reality in many organizations (big and small)!
So, how do you keep your security policies current? Use them! Use them! Use them! Security policies aren’t a hoop to be jumped through. They aren’t a burden to bear. Your policies are tools to help you and your organization! When you actively use your security policies to keep your organization secure, train the people in your organization, and support the sales process, you are making sure that your policies get the attention that they deserve from across the organization…which incentivizes you to keep them up to date.
Opportunities for keeping your policies up to date:
Another big benefit to keeping your InfoSec policies up to date is that you never know when you might be asked to get a security certification such as SOC 2 or ISO 27001, and if you have been keeping up on your InfoSec program, it will be much easier and faster for you to achieve.
Although it’s common to review your security policies annually, they shouldn’t be treated like holiday decorations that you take out once a year to look at. They are tools to be used all year long…and with that use, they will stay current and relevant and you will stay secure and successful.