Corporate governance, policies, and the regulatory environment
In module 3, I learnt about information security related corporate policies. I learnt about the role of the corporate policies in cybersecurity governance, the three types of security policies, what they seek to achieve in the organisation and how they are developed. Information security governance as achieved through corporate policies plays a key role in informing organisation how they disseminate and protect information. The are types of information security policies which include: Enterprise information security policy (EISP), Issue-specific security policies (ISSPs), and System-specific policies (SysSPs).
These policies are meant to reinforce the confidentiality, integrity and availability of information assets while sufficiently addressing the alignment of business strategy with information security, supporting risk management , and improving resource management through security awareness. These policies help mitigate uncertainty in business operations by reducing information security risks, reduce potential for civil or legal liability as a result of compromises, and encourages efficient use of security resources.
I felt a bit overwhelmed reading through the material explaining each of these policies however I realised how important these policies are to every organisation operating in the information economy. Given the implementation of the Protection of Personal Information (POPI) Act in South Africa, it would be irresponsible for organisations to not comply. I also appreciate the objectives of the Act in protecting personal information for the broader society, however there seems to be a long way to go in getting ordinary companies that do not the financial resources to put measured in place to comply with the Act.
How does policy inform culture?
Employees perform at their best in environments where the working environment makes them feel that they contribute to the success of the organisation. Organisation that value retaining skilled employees would therefore ensure that they avoid creating a work environment where the employees perceive themselves as a liability through the activities of the work they are responsible for. It is for this reason that when organisations develop information security policies, they begin with creating security awareness in a manner that encourages a buy in from the employees. If the information policy for example requires that employees are not able to access social media, and listen to music whilst performing their duties, employees are less likely to be enthusiastic of their roles because the company culture does not accommodate their day to day way of life. This would translate to low staff retention and loss of innovation. A good information security policy would define all acceptable use guidelines to be observed whilst creating controls in place to protecting crucial information assets from compromise.
Can culture be created by policy alone?
Culture is inherently a social construct that has always existed and evolved. Policies can not create culture alone. Policies should complement culture in order to get the most employee compliance because employees are people at the end of the day. Policies can be stringent in high clearance organisations such as militaristic organisations, however employees are generally less likely going to comply with a policy that is against the general culture of a people. Organisation should instead use their resources to put information security controls in place to reduce the likelihood of compromised whilst allowing for employees to enjoy reasonable access to the social multimedia.
