FSO Led, Employee Owned Policy-Making Poplicy Through Leadership

Security managers sometimes fight lonely battles to get policy in place to protect enterprise assets. Sometimes we’ve created multi-page documents outlining the do’s and don’ts of sound business practices and how to prevent spillages and leaks of sensitive information. These products are then staffed, hacked up and sent back, re-written and maybe a year later, they are part of a growing number of compliance policies in the enterprise warehouse. Policy is incredibly important, but can be implemented with much less effort on the security manager’s part. More impact with less effort? Sounds like a winning combination.Step one, sound security practices are best implemented when they are someone else’s idea. These policy battles don’t have to be won single handedly if they are part of everyone’s fight. For example, depending on the enterprise structure, the following could be true:

hiring the right employees is Human Resources (HR) job
research and development belongs to program management
buildings belong to facilities
public release reviews belong to business development Instead of writing a lengthy security policy, review existing policy and make sure HR requires background checks on all employees, program management practices system security engineering to engineer out risks, business development has a public release process that protects trade secrets and customer information.
Step two, interview business units to determine what assets require protection. The subject matter experts understand their business and know what is valued and what that value is. HR protects personal identifiable information, program management can identify sensitive processes and facilities has the layout for physical security. 

Step three, identify impact of loss. Will it shut down business, will loss be negligible, will the customer pull contracts? Determine the impact to get an understanding of what resources need to be allocated and protective measures put in place.

Step four, brief the SME policy makers on the identified assets and impact of loss or damage. This is to emphasize what was discussed and the agreed upon actions. “We’ve identified that all requests for public release must go through the subject matter expert, the first VP in the rating chain, security and forwarded to the customer. Do we have that process documented and in practice?” If so, there’s your policy to protect sensitive information. If not, then the owner of the process (in this case business development) takes responsibility to add this to the enterprise policy.

Continue this throughout the organization. As a risk or security manager, you’ve just had other business units develop and implement policy that supports your role in asset protection. Though the working groups are security led, others own the process, document and enforce it. You get all the credit.

For more ideas of security policy see DoD Security Clearances and Contracts Guidebook

 

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".