Information security policy: Answering to the board of directors

Computerworld - I recently had a conversation with a longtime colleague, Phyllis Schneck, vice president of eCommSecurity Inc. She is also chairman of InfraGard, a public/private partnership launched by the FBI.

The goal of InfraGard is to strengthen the security of the U.S. critical infrastructure by increasing information-sharing and cooperation between federal law enforcement officials and the private sector and reaching out to companies large and small.

Schneck has been working with the InfraGard board, the FBI, the U.S. Department of Homeland Security and other organizations to develop best practices in building relationships to improve information security programs in both public agencies or private industry.

Wearing her private-sector hat as vice president of Atlanta-based eCommSecurity and leveraging her experience in working with thousands of security professionals nationwide, Schneck's main focus is on the importance of a sound security policy based on the particular requirements of a business.

Our discussion focused on a key question raised during a recent shareholders' meeting: "Can the board of directors assure us that this organization's information security program is deployed fairly and legally in every jurisdiction in which we operate?"

Bill Malik is chief technology officer at Austin, Texas-based Waveset Technologies Inc., where he is responsible for the strategic direction of the company's identity management products. A 25-year veteran of the security technologies industry, he most recently was director of KPMG's Risk and Advisory Services practice and was also vice president at Gartner Inc. He has written more than 150 research reports on security and long-range technology futures.

Schneck was adamant in stressing that the most crucial component of an effective information security policy is obtaining and maintaining employee buy-in. Employees must truly believe in the policy and the benefits it brings to the company and to them. Achieving this support means involving employees from throughout the company in creating and implementing the policy. A solid information security policy is endorsed and driven from the chairman's table down, yet it's created from the mailroom up, fusing opinions and accountability at all levels while still preserving company culture.