At its core, data security is used to protect
business interests.  To realize this purpose, it takes both the
physical means to “be secure”, as well as the governing policies
needed to institutional acceptance.  Ultimately, policy
success depends on having clear objectives, actionable
scope, and inclusive development.  Read on to learn more.

By and large, every IT department has the same core mission to provide the means and
methods for creating, storing, transmitting, printing and retrieving business related
information.  By design, this
operational mission is driven by the need to “protect”, which also
includes preventing unauthorized access, uncontrolled modification
and unwarranted destruction.  The priorities are self evident –
data integrity is vital, and vital needs must be met with purpose
and committment.  The tricky part is to balance vital interests
with the associated costs and operational overhead.  This is
the higher purpose of data security and the goal of related policy
development.

---

---

Data Security Practices and Policy Purpose

As discussed, “data security” provides the means by
which business data and related information is protected and
preserved.  This is realized in multiple ways, as listed below:

• Data security technology and practices provide the means by which data can
  be safely created, stored, transmitted, printed and retrieved.
• Data security technology and practices provide the means by which data
  accuracy and integrity is ensured and maintained.
• Data security technology and practices provide the means to prevent and
  control unauthorized access,
  modification and destruction.
• Data security technology and practices provide the
  opportunity to minimize the risks and costs associated with
  data loss, data corruption and unauthorized access.

Of course, the physical means of “securing data” are essential to
the process. 
You must have the technical ability (through hardware and software) to physically meet each of the
above listed objectives.  But that will only take you part of
the way.  To realize all of the intended benefits, data
security practices must be “institutionalized” – i.e. 
integrated into the corporate culture and made part of how a given
organization works.  This is achieved through the development
and implementation of effective “data security policy”.  Policy
is a governance mechanism, used to translate tangible security
objectives into organizational terms that can be implemented and
enforced.  In the case of data security, related policies
provide the “how, what, and why” to communicate security objectives
and promote expected compliance.

To fulfill this mission, data security policy must be
developed and
documented to answer the
following formative questions:

• What is the overall policy purpose?
• What is the underlying basis (background events and delegated authority) driving policy
  formation?
• What is the planned scope of the policy (considering the organizational jurisdiction
  and range of application)?
• Who are the policy stakeholders (those with an interest in the policy or ability
  to influence policy outcomes)?
• What are the underlying “means and methods” to be used to implement and enforce
  policy requirements (considering data security tools, software, devices and related
  materials)?
• What are the planned guidelines for policy compliance and enforcement?

Take an Inclusive Approach to Policy Development

Every data security policy will benefit from an inclusive
approach to development and implementation.  It takes a
partnership between all of the interested and invested stakeholders
to fully realize policy relevance and enforcement.  In the
collaborative approach, the end-user partner defines the
need (the data to be protected and the business basis behind the
security requirements).  The IT partner provides the
technical means (and capability) by which the identified data
security needs can be met.  These needs and means are
then combined to form actionable policy through an “inclusive”
development process, characterized by input and collaboration at
every stage:

• Policy planning relies on input and
  information relating to data security needs and policy
  objectives.
• Policy preparation relies on the review of
  policy drafts, negotiation, and feedback relating to specific
  terms and related obligations,
• Policy implementation relies on the
  documented acceptance (and approval) of policy terms and
  compliance obligations on the part of decision making
  stakeholders.

As policy development unfolds, checkpoints should be established
to ensure that all decision making stakeholders have been
sufficiently engaged in  the development process. 
Considering the long term benefits of collaborative policy
development (compliance is more readily secured when you have
advance buy-in), it’s always a good idea to create a “policy team”
or committee as the organizational vehicle for policy development. 
This policy team or committee should include members from all sides
– the end-user community, IT department, Legal department, Human
Resources and any other appropriate department with something to
contribute.  This will help to ensure that the policy delivered
represents all interests, incorporates all concerns, and has the
greatest chance to succeed.

---

THE IT SERVICE STRATEGY TOOLKIT

If you’re looking for a fast, easy way to achieve IT service success, you’ll find it inside
the IT Service Strategy Toolkit. This unique, informative online course gives you everything you need to become
an IT management leader and service planning expert. Here’s what you’ll learn:

• The I.T. Service Strategy Toolkit is an easy, engaging online course, containing over 50+
  education components, teaching you how to use the multi-stage ‘Service Strategy Process’ to organize the I.T. service function and deliver value-added I.T. services.

• Topics covered include developing the IT mission, organizing the IT service department, planning IT management policies, managing the IT/end-user service relationship, performing the IT service review, and more.

• Techniques covered include ‘Define, Align and Approve’, the ‘Manage by Process Framework’, the IT/End User Partnership, Proactive Problem Management and more.

• Download the tools and templates to produce the I.T. Vision Statement and multiple Service Review deliverables.

• Build and improve strategic planning skills, as you learn time-saving techniques to become a more productive IT manager or service professional.

• Course enrollment provides lifetime access to all components, with all future updates and additions included.