Fundamentals of Data Security Policy in I.T. Management


At its core, data security is used to protect business interests.  To realize this purpose, it takes both the physical means to "be secure", as well as the governing policies needed to institutional acceptance.  Ultimately, policy success depends on having clear objectives, actionable scope, and inclusive development.  Read on to learn more.

We all know that I.T. stands for "information technology" and that's no accident.  In fact, it's a reflection of the primary mission of every I.T. organization - to provide the means and methods for creating, storing, transmitting, printing and retrieving business related information.  By design, this operational mission is driven by the need to "protect", which also includes preventing unauthorized access, uncontrolled modification and unwarranted destruction.  The priorities are self evident - data integrity is vital, and vital needs must be met with purpose and committment.  The tricky part is to balance vital interests with the associated costs and operational overhead.  This is the higher purpose of data security and the goal of related policy development.

Get an illustrated view of IT policy planning and development in our informative infographic:  The Fundamentals of Sound IT Policy

Data Security Practices and Policy Purpose

As discussed, "data security" provides the means by which business data and related information is protected and preserved.  This is realized in multiple ways, as listed below:

  • Data security technology and practices provide the means by which data can be safely created, stored, transmitted, printed and retrieved.
  • Data security technology and practices provide the means by which data accuracy and integrity is ensured and maintained.
  • Data security technology and practices provide the means to prevent and control unauthorized access, modification and destruction.
  • Data security technology and practices provide the opportunity to minimize the risks and costs associated with data loss, data corruption and unauthorized access.

Of course, the physical means of "securing data" are essential to the process.  You must have the technical ability (through hardware and software) to physically meet each of the above listed objectives.  But that will only take you part of the way.  To realize all of the intended benefits, data security practices must be "institutionalized" - i.e.  integrated into the corporate culture and made part of how a given organization works.  This is achieved through the development and implementation of effective "data security policy".  Policy is a governance mechanism, used to translate tangible security objectives into organizational terms that can be implemented and enforced.  In the case of data security, related policies provide the "how, what, and why" to communicate security objectives and promote expected compliance.

To fulfill this mission, data security policy must be developed and documented to reflect the following components and answer the underlying formative questions:

  • Policy Purpose
    • What are the specific goals of this data security policy?
    • Why has the policy been created (considering the background events leading to policy development)?
    • What will the policy accomplish considering data security goals and objectives?
  • Policy Basis
    • What is the underlying authority and/or organizational basis for this data security policy (considering internal guidelines and/or external regulatory requirements)?
    • Do you have sufficient executive support to sufficiently enforce compliance with all of the policy provisions?
  • Policy Scope
    • What are the organizational targets of the policy considering company-wide applicability, division specific application, departmental application or location specific application?
    • What are the data targets of the policy considering the types of files, records, information and applications covered by the policy?
  • Policy Stakeholders
    • Who are the policy stakeholders considering both individuals and groups who have a vested interest in the policy and ability to influence the outcome?
    • What are the specific roles and responsibilities required to implement, administer and enforce all policy terms, including all stated compliance obligations?
  • Security Means and Methods
    • What are the means and methods to be utilized to realize all identified data security requirements, including data encryption, data access restrictions, security monitoring, data classifications, userid requirements, password requirements, data storage mechanisms, and related matters?
  • Compliance and Enforcement Guidelines
    • What are established guidelines for data security compliance?
    • Will there be any exceptions and/or waivers with regard to policy compliance?  If so, what are the terms under which exceptions and/or waivers will be granted?
    • How will compliance be enforced and what are the consequences for a failure to comply?
    • How will employees be provided with training relating to data security compliance?
    • What types of auditing procedures will be used to monitor and promote data security compliance?

Take an Inclusive Approach to Policy Development

Every data security policy will benefit from an inclusive approach to development and implementation.  It takes a partnership between all of the interested and invested stakeholders to fully realize policy relevance and enforcement.  In the collaborative approach, the end-user partner defines the need (the data to be protected and the business basis behind the security requirements).  The IT partner provides the technical means (and capability) by which the identified data security needs can be met.  These needs and means are then combined to form actionable policy through an "inclusive" development process, characterized by input and collaboration at every stage:

  • Policy planning relies on input and information relating to data security needs and policy objectives.
  • Policy preparation relies on the review of policy drafts, negotiation, and feedback relating to specific terms and related obligations,
  • Policy implementation relies on the documented acceptance (and approval) of policy terms and compliance obligations on the part of decision making stakeholders.

As policy development unfolds, checkpoints should be established to ensure that all decision making stakeholders have been sufficiently engaged in  the development process.  Considering the long term benefits of collaborative policy development (compliance is more readily secured when you have advance buy-in), it's always a good idea to create a "policy team" or committee as the organizational vehicle for policy development.  This policy team or committee should include members from all sides - the end-user community, IT department, Legal department, Human Resources and any other appropriate department with something to contribute.  This will help to ensure that the policy delivered represents all interests, incorporates all concerns, and has the greatest chance to succeed.

For more on IT policies, download our free IT Policy Templates (for policy preparation and evaluation) and see the policy related articles listed below:
Six Keys to Sound I.T. Management Policies
Fundamentals of Email Usage Policies
Planning Policies for IT Asset Management
Policy Planning for End-User Technology Standards

About Us- ITtoolkit.com has been around since 2001.  What will you find here?  We have articles (covering a wide range of topics relating to our IT service strategy and project fast tracking methodologies).  We have templates and whitepapers to download.  We have our series of IT management infographics.  And, we have our "Toolkit productivity packages", combining "education and execution" - with time-saving concepts, steps and templates packaged in digital downloads.  Our current Toolkit offerings include the Fast Track Project Toolkit and IT Service Strategy Toolkit.

Learn more about the Service Strategy Toolkit from ITtoolkit.com

ARE YOU READY...?

TO MAKE YOUR I.T. DEPARTMENT MORE VALUED, RESPONSIVE AND RELEVANT?

If you are, then you need the IT Service Strategy Toolkit from ITtoolkit.com! The Toolkit teaches you how to "add value" to IT projects and services -- using our time-saving "service strategy process". It's ready for instant download, filled with 400+ pages of steps, guidelines, practices and templates. Find Out More

Featured Management Topic: Project Fast Tracking

Strategic fast tracking is a streamlined project management process, used to level the playing field when "project problems" get in the way of on-time success. Our informative "fast tracking" article series explains more:

Part 1: What is Strategic Fast Tracking?

Part 2: Evaluating Projects for Fast-Track-Ability

Part 3: Pinpointing Project Priorities

Get an illustrated view of the fast tracking process in the "Step-by-Step to a Fast Tracked Project" infographic.

Articles, Tips & Offers Right to Your Inbox

Sign up for the ITtoolkit.com newsletter and be the first to know about our latest blog articles, templates, white papers, infographics, and special offers.

We won't overload your inbox and we don't share or sell subscriber information. Just enter your email address below.