Handbook of Information Security Management:Policy, Standards, and Organization

Previous Table of Contents Next


PUBLICATION METHODS

Defining and constructing an excellent policy is not all there is to developing a complete and effective policy statement. To be truly effective, it must be well communicated to the intended audience in the most effective way possible. This includes selecting a publication media that conveys the policy most effectively and also can be updated and distributed as often and as easily as necessary.

Policy Manual (Volumes)

The old standby of policy promulgation is the Policy Manual. This can typically span multiple volumes and be divided into functional interests so that it can be reproduced and distributed throughout the organization according to the particular subject area and the need for reference. The most widely used publication in an estimated 90% of all organizations, the Policy Manual can most often be found in the Human Resources department, the Internal Audit department, or the Employment department.

Although it is widely used, the Policy Manual has some drawbacks. Because it is a paper media, it can be costly to reproduce, tends to be bulky and, the most severe drawback, gives the reader no clue regarding the current status of the policies included in it. Many existing Policy Manuals are out of date, have pages and pages of unposted updates stuffed somewhere in the binder, and are organized well for textbook reading, but poorly for reference.

Nevertheless, the Policy Manual has several considerable strengths. It is generally easy to recognize, it can be created piece by piece without a large single investment of time and resources, and it can be reviewed and read anywhere there is proper lighting; at home, on public transportation, in the workplace, on even outdoors in a park.

Personnel Contact Guides

Some organizations have developed personal contact guides, or individual manuals designed to identify policies for the most frequent relationships that each individual could expect within their job function. Often this is the easiest method for the individual to follow, but it takes a great deal of time and preparation to be an effective option. Each job function needs to have listed a complete list of job functions, and for each job function a list of personal contacts.

If these lists of functions and contacts is thorough, the policies can be a personal guide to how to interact with other people, information resources, communications, and the production components of the organization. Few organizations can muster the discipline to put the personnel contact guides in full production, however this method can be effective for many of the key interpersonal operations and critical standards that need to be well defined to the satisfaction of industry regulators, auditors, or policy reviewers.

Departmental/Functional Brochures

In most organizations, the departmental and functional focus has been used as an effective alternative to the volumes of policy manuals. Using this method, a smaller number of procedures can be developed and put into more compact form. They are often easier to communicate to staff members, and clearly more easily modified and updated. Because the manuals are smaller, the policies can be generally communicated in small department or functional meetings. The written policy is similar, but the communication at a department or functional level allows the policy to be internalized and used more fully by the department and the individuals within that department more quickly than in a multivolume policy manual.

Online Documents

Technology and software tools have introduced the potential for a policy manual developed entirely online. Not a single page of paper is used, not a single binder, but a comprehensive set of policies and procedures is available through online text viewers. Of course, if individuals wanted to print copies of the policies they would be able to use the local print tools to do so. The online method is effective at offering a single, standard copy of the official policies simultaneously to all parts of the organization. It can only be effective if the online version remains the official policy, discouraging the use of printed copies, which might depict policies that are not in force or have been superseded.

Although there are some operational challenges that face the use of online documents as a sole method of policy deployment, this method is gaining popularity because of the decentralized costs required to develop or communicate these policies to each person. Other challenges remain in effective distribution of online documents, for example, how to communicate parts of internal documents to external organizations and individuals. Present methods involve publishing such documents on the Internet or a limited access intranet.

SUPPLEMENTS TO WRITTEN POLICIES

In many organizations, policies have been augmented by other nonprinted media to enhance their usefulness and make them more appealing to the intended reader. These supplements can include all types of communication media and integration styles. Chiefly used as a supplement to the printed policy, these features generally require some kind of electronic or specialized media for them to be fully effective. As a result, the use of these policy supplements is encouraged mostly within the office, and only occasionally at home.

Video/Audio Publications

Many organizations recognize the recent trend toward employees who work at home and have started using media available in the home to provide supplements to “official” policies. Videotapes and audiotapes can provide employees with quick reference, and often are more entertaining and able to capture attention more effectively than print media. As the communication bandwidth increases, these policy supplements can be viewed or played remotely without the need for physical media whatsoever.


Previous Table of Contents Next



The CISSP Open Study Guide Web Site

We are proud to bring to all of our members a legal copy of this outstanding book. Of course this version is getting a bit old and may not contain all of the info that the latest version are covering, however it is one of the best tool you have to review the basics of security. Investing in the latest version would help you out in your studies and also show your appreciation to Auerbach for letting me use their book on the site.