Put succinctly, information security is the sum of the people, processes, and technology implemented within an organization to protect information assets. It also prevents unauthorized disclosure, disruption, access, use, modification, etc. of those information assets.
While policies do not fix issues and, in fact, can make matters worse unless they are properly established and followed, they do define the ideal toward which all organizational efforts should be directed. Information and systems, as well as individual employees and the corporation as a whole, are all protected by good policy. It also serves as a public statement about the organization’s commitment to security to the outside world.
Outsiders (such as repair technicians, consultants, and temporary workers) and outside organizations (such as other departments, educational institutions, and contractors) who have access to your system should sign agreements requiring them to respect and safeguard the confidentiality of your data. However, be cautious about disclosing more information about your security operation than is essential to outsiders. Even seemingly innocuous signals about how your security will react can provide a competent attacker an advantage in messing with your system. Instead, confine security briefings to the minimum necessary to (1) prevent them from breaking your defenses, (2) demonstrate that you are serious about protecting your system assets, and (3) ensure that they handle your assets safely.
Because of the rapid pace of technology advancements, all security measures must be examined on a regular basis. How often do you do it? This is dependent on the needs of your organization as well as your technological prowess. In general, each new technological advancement has the potential to compel a policy change, thus it’s a good idea to review all organizational policies (security and otherwise) at least once a year.
With that said, how well do you know your company’s security policies? How safe are they?