Information security often narrowly focuses on the use of technology to mitigate threats. Our experience has shown that policies and procedures, complemented by technology, provides a more effective defence than technology alone. The intangible aspects of policies and procedures frequently mean that they are viewed as less important than technological controls and given a lower priority. However, until policy and procedure are formally defined in an organisation the direction and focus of its information security strategy can not be known. This results in a situation familiar to many organisations where point source solutions are implemented in an ad hoc manner to put out fires in a constant game of catch up.
At Jake Smith Consulting we encourage the development of a high-level information security policy as a first priority for all organisations. Detailed policies, procedures and standards are then developed as the information security program matures. Their content is dictated by the results of a risk management exercise which reveals the directions that the security program should take. These policies, procedures and standards can then be referenced when selecting technical security controls and when performing security reviews on new IT system developments. This ensures that the progression of information technology within the organisation is always in line with defined security goals.