Another of the issues we look into in December’s BIR is the challenges around the effective implementation of policy, why it is so important and what the solutions may look like. On reviewing the subject I discovered that poor implementation of policy was not specific to any one sector, the same challenges faced everyone. Of particular interest was an Oracle sponsored Economist Intelligence Unit report – Enabling Efficient Policy Implementation (2010). The research investigated both the challenges and opportunities faced by organisations today and discovered that poor implementation of policy could be catastrophic for organisations leading to law suits, prosecution or fines, however these consequences did not affect greatly how policy was created, communicated and implemented.
We have seen the consequences of poor information security policy implementation first hand with most weeks having a new incident reported in the news. The latest story to hit the headlines being the security breach at British Gas but perhaps the biggest story was that of TalkTalk. This illustrates the close link between IT security policy and information security policy but also the lack of clear standards on what levels of security are needed for different types of information held (http://www.theguardian.com/technology/2015/oct/23/talktalk-criticised-for-poor-security-and-handling-of-hack-attack ).
There is a definite need to be proactive in policy implementation, from first stage communications to effective monitoring, all of which needs to be properly resourced, a challenge indeed in many of todays leaner organisations. Challenge, yes, but highly important as nicely stated in the EIU report, “policy cannot enact itself”!
But then if resourcing is important so is the need for effective ways to ensure those affected by the policy see the importance of it and adhere to it. Well yes of course but this seems to be easier said than done.
At the start of our exploration of this area two of our articles look at policy this time, considering the need for information security management and the importance for information asset management. Read more in December’s issue and follow us on this subject throughout 2016.